CISA Adds Four Critical Vulnerabilities to KEV Catalog

Overview

On February 3, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation in the wild.

Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the specified due dates.

New KEV Entries

CVE-2026-21509 - Microsoft Office Security Feature Bypass

Attribute	Value
CVE ID	CVE-2026-21509
Vendor	Microsoft
Product	Microsoft Office
Vulnerability Type	Security Feature Bypass
CVSS Score	8.8 (High)
Due Date	February 24, 2026

Description: A security feature bypass vulnerability in Microsoft Office allows attackers to circumvent Protected View and execute malicious macros without user consent.

Exploitation: Attackers are using specially crafted Office documents distributed via phishing campaigns.

Mitigation:

# Apply February 2026 Patch Tuesday updates
# Or disable macros via Group Policy
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Word\Security" -Name "VBAWarnings" -Value 4

CVE-2026-23760 - SmarterTools SmarterMail Authentication Bypass

Attribute	Value
CVE ID	CVE-2026-23760
Vendor	SmarterTools
Product	SmarterMail
Vulnerability Type	Authentication Bypass
CVSS Score	9.8 (Critical)
Due Date	February 17, 2026

Description: An authentication bypass vulnerability in SmarterMail allows unauthenticated attackers to access administrative functions and user mailboxes.

Exploitation: Threat actors are exploiting exposed SmarterMail instances to harvest credentials and intercept communications.

Mitigation:

Update to SmarterMail 100.0.8970 or later
Implement IP whitelisting for admin interfaces
Enable MFA for all accounts

CVE-2019-19006 - Sangoma FreePBX Improper Authentication

Attribute	Value
CVE ID	CVE-2019-19006
Vendor	Sangoma
Product	FreePBX
Vulnerability Type	Improper Authentication
CVSS Score	9.8 (Critical)
Due Date	February 24, 2026

Description: An authentication flaw in Sangoma FreePBX allows remote attackers to bypass authentication mechanisms and gain administrative access.

Note: This is an older vulnerability that has resurfaced with new exploitation activity.

Mitigation:

# Update FreePBX to latest version
fwconsole ma upgrade framework
fwconsole ma upgrade core
fwconsole reload

CVE-2021-39935 - GitLab SSRF Vulnerability

Attribute	Value
CVE ID	CVE-2021-39935
Vendor	GitLab
Product	GitLab CE/EE
Vulnerability Type	Server-Side Request Forgery (SSRF)
CVSS Score	7.5 (High)
Due Date	February 24, 2026

Description: A Server-Side Request Forgery vulnerability in GitLab Community and Enterprise editions allows attackers to make requests to internal services.

Exploitation: Attackers are using this flaw to access internal metadata services and steal cloud credentials.

Mitigation:

# Update GitLab
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

Compliance Timeline

CVE	Severity	FCEB Due Date	Days Remaining
CVE-2026-23760	Critical	Feb 17, 2026	13 days
CVE-2026-21509	High	Feb 24, 2026	20 days
CVE-2019-19006	Critical	Feb 24, 2026	20 days
CVE-2021-39935	High	Feb 24, 2026	20 days

Recommended Actions

For All Organizations

Inventory affected systems - Identify all instances of affected products
Prioritize patching - Address critical vulnerabilities first
Monitor for exploitation - Review logs for indicators of compromise
Implement compensating controls - If patching is delayed

Detection Queries

// Microsoft Defender - Office Macro Bypass Detection
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
 
// SmarterMail Authentication Anomalies
SecurityEvent
| where EventID == 4625
| where TargetUserName contains "smartermail"
| summarize FailedAttempts=count() by SourceIP=IpAddress, bin(TimeGenerated, 1h)
| where FailedAttempts > 10

Historical Context

CISA's KEV catalog has grown significantly:

2025 Total: 186 vulnerabilities added
2026 YTD: 23 vulnerabilities added
Average time to exploitation: 28% within 1 day of disclosure

References

Overview

Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the specified due dates.

New KEV Entries

CVE-2026-21509 - Microsoft Office Security Feature Bypass

Attribute	Value
CVE ID	CVE-2026-21509
Vendor	Microsoft
Product	Microsoft Office
Vulnerability Type	Security Feature Bypass
CVSS Score	8.8 (High)
Due Date	February 24, 2026

Description: A security feature bypass vulnerability in Microsoft Office allows attackers to circumvent Protected View and execute malicious macros without user consent.

Exploitation: Attackers are using specially crafted Office documents distributed via phishing campaigns.

Mitigation:

# Apply February 2026 Patch Tuesday updates
# Or disable macros via Group Policy
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Word\Security" -Name "VBAWarnings" -Value 4

CVE-2026-23760 - SmarterTools SmarterMail Authentication Bypass

Attribute	Value
CVE ID	CVE-2026-23760
Vendor	SmarterTools
Product	SmarterMail
Vulnerability Type	Authentication Bypass
CVSS Score	9.8 (Critical)
Due Date	February 17, 2026

Description: An authentication bypass vulnerability in SmarterMail allows unauthenticated attackers to access administrative functions and user mailboxes.

Exploitation: Threat actors are exploiting exposed SmarterMail instances to harvest credentials and intercept communications.

Mitigation:

Update to SmarterMail 100.0.8970 or later
Implement IP whitelisting for admin interfaces
Enable MFA for all accounts

CVE-2019-19006 - Sangoma FreePBX Improper Authentication

Attribute	Value
CVE ID	CVE-2019-19006
Vendor	Sangoma
Product	FreePBX
Vulnerability Type	Improper Authentication
CVSS Score	9.8 (Critical)
Due Date	February 24, 2026

Description: An authentication flaw in Sangoma FreePBX allows remote attackers to bypass authentication mechanisms and gain administrative access.

Note: This is an older vulnerability that has resurfaced with new exploitation activity.

Mitigation:

# Update FreePBX to latest version
fwconsole ma upgrade framework
fwconsole ma upgrade core
fwconsole reload

CVE-2021-39935 - GitLab SSRF Vulnerability

Attribute	Value
CVE ID	CVE-2021-39935
Vendor	GitLab
Product	GitLab CE/EE
Vulnerability Type	Server-Side Request Forgery (SSRF)
CVSS Score	7.5 (High)
Due Date	February 24, 2026

Description: A Server-Side Request Forgery vulnerability in GitLab Community and Enterprise editions allows attackers to make requests to internal services.

Exploitation: Attackers are using this flaw to access internal metadata services and steal cloud credentials.

Mitigation:

# Update GitLab
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

Compliance Timeline

CVE	Severity	FCEB Due Date	Days Remaining
CVE-2026-23760	Critical	Feb 17, 2026	13 days
CVE-2026-21509	High	Feb 24, 2026	20 days
CVE-2019-19006	Critical	Feb 24, 2026	20 days
CVE-2021-39935	High	Feb 24, 2026	20 days

Recommended Actions

For All Organizations

Inventory affected systems - Identify all instances of affected products
Prioritize patching - Address critical vulnerabilities first
Monitor for exploitation - Review logs for indicators of compromise
Implement compensating controls - If patching is delayed

Detection Queries

// Microsoft Defender - Office Macro Bypass Detection
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
 
// SmarterMail Authentication Anomalies
SecurityEvent
| where EventID == 4625
| where TargetUserName contains "smartermail"
| summarize FailedAttempts=count() by SourceIP=IpAddress, bin(TimeGenerated, 1h)
| where FailedAttempts > 10

Historical Context

CISA's KEV catalog has grown significantly:

2025 Total: 186 vulnerabilities added
2026 YTD: 23 vulnerabilities added
Average time to exploitation: 28% within 1 day of disclosure

CISA Adds Four Critical Vulnerabilities to KEV Catalog

Affected Products

Overview

New KEV Entries

CVE-2026-21509 - Microsoft Office Security Feature Bypass

CVE-2026-23760 - SmarterTools SmarterMail Authentication Bypass

CVE-2019-19006 - Sangoma FreePBX Improper Authentication

CVE-2021-39935 - GitLab SSRF Vulnerability

Compliance Timeline

Recommended Actions

For All Organizations

Detection Queries

Historical Context

References

CISA Adds Two Actively Exploited Roundcube Webmail Flaws to

CVE-2025-68613: n8n Remote Code Execution via Improper

CISA Issues Emergency Directive as Cisco SD-WAN Zero-Day

CISA Adds Four Critical Vulnerabilities to KEV Catalog

Affected Products

Overview

New KEV Entries

CVE-2026-21509 - Microsoft Office Security Feature Bypass

CVE-2026-23760 - SmarterTools SmarterMail Authentication Bypass

CVE-2019-19006 - Sangoma FreePBX Improper Authentication

CVE-2021-39935 - GitLab SSRF Vulnerability

Compliance Timeline

Recommended Actions

For All Organizations

Detection Queries

Historical Context

References

CISA Adds Two Actively Exploited Roundcube Webmail Flaws to

CVE-2025-68613: n8n Remote Code Execution via Improper

CISA Issues Emergency Directive as Cisco SD-WAN Zero-Day

Affected Products

Overview

New KEV Entries

CVE-2026-21509 - Microsoft Office Security Feature Bypass

CVE-2026-23760 - SmarterTools SmarterMail Authentication Bypass

CVE-2019-19006 - Sangoma FreePBX Improper Authentication

CVE-2021-39935 - GitLab SSRF Vulnerability

Compliance Timeline

Recommended Actions

For All Organizations

Detection Queries

Historical Context

References

Related Articles

Affected Products

Overview

New KEV Entries

CVE-2026-21509 - Microsoft Office Security Feature Bypass

CVE-2026-23760 - SmarterTools SmarterMail Authentication Bypass

CVE-2019-19006 - Sangoma FreePBX Improper Authentication

CVE-2021-39935 - GitLab SSRF Vulnerability

Compliance Timeline

Recommended Actions

For All Organizations

Detection Queries

Historical Context

References

Related Articles