CISA adds three exploited vulnerabilities to its catalog

CISA adds three actively exploited vulnerabilities to its KEV catalog: Fortinet FortiSandbox and Microsoft SharePoint. Update your systems now.

17 jul 2026 • 5 min read • Q2BSTUDIO Team

Active vulnerabilities: Fortinet and Microsoft

In a digital world where threats evolve at the speed of innovation, the recent addition of three vulnerabilities to CISA's catalog of known exploited vulnerabilities (KEVs) represents a stark reminder of the fragility of enterprise systems. The new inclusions—two command injection flaws in Fortinet FortiSandbox and a deserialization issue in Microsoft SharePoint—aren't simple code errors; They are open doors that attackers actively exploit to take full control of exposed assets. This CISA move, framed in Binding Operational Directive (BOD) 26-04, calls for urgent prioritization of remediation from U.S. federal agencies, but its message transcends the governmental realm: Any organization that neglects risk-based vulnerability management is playing with fire.

BOD 26-04 is not a recommendation, it is a roadmap for survival in an ecosystem where zero-day exploitation and ransomware campaigns are fueled by delayed patches. The directive states that vulnerabilities included in the KEV should receive immediate attention, especially those that, like those now added, grant full control of the system after exploitation. But beyond regulatory compliance, the real value of this approach lies in an organization's ability to anticipate: verifying whether the system has already been compromised before applying the patch, as required by the directive, is a practice that should be standard in any modern cybersecurity strategy.

Let's look at the vulnerabilities themselves. Fortinet's two involve FortiSandbox, a solution designed precisely to detect malware through analysis in an isolated environment. It is paradoxical that a security-focused product can become the attack vector. Operating system command injection allows an attacker to execute arbitrary code, which can lead to data theft, backdoor installation, or lateral movement within the network. Meanwhile, the deserialization vulnerability in Microsoft SharePoint—a massively used platform for enterprise collaboration—allows a malicious actor to execute remote code without prior authentication in many cases. This means that a simple phishing email or malicious document can compromise the entire collaboration infrastructure.

The question every company should ask itself is not whether these vulnerabilities affect it, but whether it has the processes and tools to respond quickly and effectively. Risk-based vulnerability management is not a weekend project; It requires an ecosystem of continuous monitoring, periodic assessments, and a team trained to interpret threat intelligence. This is where the role of specialized companies like Q2BSTUDIO comes in, offering cybersecurity and pentesting services to help organizations identify and close those gaps before attackers find them. Experience shows that most intrusions could be prevented with proper patch prioritization and regular penetration testing.

But cybersecurity is not an isolated department; It should be integrated into the software development lifecycle. When a company develops custom applications or deploys custom software, security should be a requirement from the first line of code, not a layer added at the end. Q2BSTUDIO knows it well: its engineering teams work with DevSecOps methodologies, incorporating vulnerability analysis at every stage of development. In addition, by offering AWS and Azure cloud services, they ensure that cloud configurations are natively secure, avoiding exposures such as misconfigured buckets or identities with excessive permissions.

Artificial intelligence is revolutionizing the way we detect and respond to threats. AI agents can monitor millions of events in real-time, identify anomalous patterns, and correlate indicators of compromise with speed that no human could reach. In Q2BSTUDIO, they offer enterprise AI that powers security operations centers (SOCs), reducing mean detection and response time. Even in the realm of visibility, business intelligence solutions like Power BI allow you to create executive dashboards with security metrics, showing the status of patches, ongoing incidents, and the overall risk level of the organization. This combination of technology and processes is key to meeting directives like BOD 26-04 without overwhelming the IT team.

The specific case of the three vulnerabilities added to the KEV catalog forces us to reflect on the software supply chain. Both Fortinet and Microsoft are ubiquitous vendors, but neither product is foolproof. The lesson here is that security should be an ongoing process of evaluation and improvement, not an end state. Organizations that take a proactive approach—such as hiring cybersecurity and pentesting services—are able to not only comply with regulations, but also build resilience that protects them against the next vulnerability that will inevitably appear.

For companies that have not yet implemented a risk-based vulnerability management program, the time is now. BOD 26-04 is clear: prioritizing KEV vulnerabilities dramatically reduces the attack surface. But beyond compliance, there is an opportunity to transform security into a business enabler. When systems are secure, innovation flows fearlessly. Digitization projects, implementation of AWS and Azure cloud services, or the development of custom applications advance faster when security is integrated from the beginning.

From a practical standpoint, I recommend security managers start with a thorough inventory of all publicly exposed assets, especially those running FortiSandbox or SharePoint. Then, apply the patches provided by the manufacturers immediately, but without forgetting the post-patch verification phase: was there any suspicious activity before the update? Logging and correlation tools, powered by artificial intelligence and AI agents, can help answer that question in minutes. If in-house capacity is limited, turning to a technology partner like Q2BSTUDIO can make the difference between an agile response and a prolonged crisis.

On a strategic level, this news reinforces the need for vulnerability governance that transcends IT teams. The board of directors and general management must understand that cybersecurity is not an expense, but an investment in business continuity. The metrics provided by Business Intelligence Services with Power BI can communicate risk in financial terms, facilitating informed decisions about budgets and priorities.

Finally, we cannot ignore the human factor. The best technology in the world fails if employees are not trained to identify a phishing attempt or to report anomalous behavior. Ongoing training and attack simulations are essential additions to any cybersecurity program. And when developing custom software for an organization, it is essential to include awareness modules within the application itself, creating a culture of security from the user interface.

In short, the addition of these three vulnerabilities to CISA's KEV catalog is not simple security news; It's a call to action. Companies that want to protect their future must adopt risk-based vulnerability management, rely on experts like Q2BSTUDIO to close technical and strategic gaps, and leverage the capabilities of artificial intelligence and business intelligence to stay ahead of threats. The speed of the patch matters, but it's the advance preparation that really defines the difference between being a victim or a digital survivor.

A BREAK?

Play for a moment before you go

OUR SERVICES

How we can help you

Do you have a project in mind?

Tell us your vision and we'll turn it into a software solution. Whatever the scope, we make your idea real.