CISA’s Known Exploited Vulnerabilities (KEV) catalog grew by seven entries today, a mix of decades-old Windows and Adobe bugs alongside two brand-new Microsoft Defender flaws. The update, released May 20, 2026, serves as a stark reminder that attackers still target forgotten vulnerabilities just as aggressively as they chase zero-days.

Federal agencies and critical infrastructure defenders now have three weeks to patch these newly cataloged vulnerabilities under Binding Operational Directive 22-01. For the rest of the enterprise world, the list is a prioritized punch list of what is actively being exploited in the wild.

The Seven Vulnerabilities Added to KEV

CISA’s latest update spans seven CVEs, five of which date back to 2008 through 2010. The remaining two are 2026 vulnerabilities in Microsoft Defender, demonstrating the broad spectrum of risk that organizations face. The agency requires remediation by June 10, 2026.

The newly added vulnerabilities are:

  • CVE-2008-4250 – A remote code execution flaw in Windows Server Service, originally patched in October 2008. Exploited by the Conficker worm, it continues to appear in attacks against unpatched legacy systems.
  • CVE-2010-2568 – The notorious Windows Shortcut (LNK) parsing bug used by Stuxnet. Microsoft patched it in August 2010, but it remains a favorite for initial access brokers targeting air-gapped networks.
  • CVE-2010-0840 – An Adobe Reader and Acrobat use-after-free vulnerability that allows code execution via crafted PDF files. Despite being over 16 years old, it is still used in phishing campaigns.
  • CVE-2010-1297 – A memory corruption issue in Adobe Flash Player. Although Flash reached end-of-life in 2020, embedded instances in legacy applications keep this vector alive.
  • CVE-2010-0806 – Another Flash Player vulnerability leading to code execution, often paired with social engineering to deliver ransomware.
  • CVE-2026-35814 – A Microsoft Defender elevation of privilege flaw, patched in April 2026, that lets attackers disable real-time scanning after initial local access.
  • CVE-2026-31972 – A Defender remote code execution vulnerability triggered by a specially crafted malicious file, patched in the May 2026 Patch Tuesday. Exploitation has been observed in targeted attacks against European government entities.

Legacy Microsoft and Adobe Flaws: Ghosts That Still Haunt

The inclusion of five vulnerabilities from the 2008–2010 era underscores a painful truth: organizations continue to run unpatched operating systems and applications. CVE-2008-4250 gained infamy through Conficker, a worm that at its peak infected millions of machines. Microsoft’s patch destroyed the worm’s propagation vector, but unpatched Windows Server 2003 and Windows XP machines still dot corporate networks, particularly in operational technology (OT) environments.

CVE-2010-2568, the LNK vulnerability exploited by Stuxnet, is equally pernicious. The bug allows an attacker to craft a shortcut file that executes arbitrary code when merely displayed in Windows Explorer. No interaction beyond viewing the folder is required. Stuxnet used it to jump air gaps, and modern threat actors deploy it via USB drops and network shares. Organizations that have not deployed the patch—available since August 2, 2010—remain vulnerable.

The three Adobe CVEs paint a similar picture. CVE-2010-0840 in Reader and Acrobat was actively exploited within days of its disclosure. Adobe issued an out-of-band fix on February 16, 2010, yet unpatched versions linger. The two Flash Player flaws, CVE-2010-1297 and CVE-2010-0806, affect software that officially died on December 31, 2020. Persistent use in legacy industrial control systems, kiosks, and virtual learning environments, however, breathes life into these ancient attack vectors. Malware campaigns routinely embed these exploits in weaponized Office documents.

The 2026 Microsoft Defender Vulnerabilities: A New Front

While legacy bugs represent poor patch management, the two Defender CVEs highlight a more immediate threat. CVE-2026-35814, an elevation of privilege flaw, allows an attacker who already has a foothold on a system to disable Defender’s real-time protection and manipulate quarantine policies. This capability is a force multiplier for ransomware operators who need to move laterally and deploy lockers unobstructed. Microsoft fixed the vulnerability in its April security updates, but CISA’s inclusion confirms active exploitation before many enterprises completed their patch cycles.

CVE-2026-31972 is even more dangerous. This remote code execution bug in Microsoft Defender’s engine triggers before any file scan or user interaction, simply by downloading a malicious file. A vulnerability in the Defender’s malware analysis parser allows an attacker to craft a file that, when processed by Defender’s real-time scanning, executes arbitrary code with SYSTEM privileges. The attack requires no user interaction beyond the file being present in a monitored location—such as an email attachment or a downloaded file. Microsoft shipped a fix on May 12, 2026, but CISA’s action today signals that threat actors have built reliable exploits within days of Patch Tuesday.

Why Old Bugs Persist

The longevity of the 2008–2010 vulnerabilities boils down to three factors: legacy hardware, regulatory paralysis, and lack of awareness. In manufacturing, healthcare, and critical infrastructure, Windows XP and Server 2003 often run custom software that cannot be upgraded without breaking operational workflows. Patching such systems may not even be possible if the vendor no longer issues security updates.

Regulatory constraints also play a role. Medical devices, for example, require recertification after major software changes. Hospital IT teams fear that applying a patch could void FDA approval, leaving them vulnerable to both cyberattacks and legal liability. The result is a landscape where Conficker and Stuxnet-era exploits still succeed.

Awareness gaps are equally damning. Many organizations assume that a vulnerability as old as CVE-2008-4250 would never appear in modern attacks. CISA’s catalog disproves that assumption. Attackers count on complacency. Automated exploit kits scan for these low-hanging fruits, and ransomware affiliates bundle them into their initial access toolkits.

CISA’s BOD 22-01 and Patching Deadlines

Binding Operational Directive 22-01, issued in November 2021, requires federal civilian executive branch agencies to remediate cataloged vulnerabilities within specific timeframes. For vulnerabilities added today, the deadline is three weeks: June 10, 2026. While the directive only legally binds U.S. federal agencies, private enterprises and other organizations treat the KEV as a de facto priority list.

The rationale is practical: if a vulnerability is being actively exploited, waiting for a regular patch cycle is too slow. Today’s additions underline that active exploitation extends from days-old Defender bugs to 18-year-old Windows artifacts. The 2026 Defender CVEs demand immediate attention because they bypass the very endpoint protection layers organizations rely on. The legacy CVEs demand a different response: an inventory blitz to identify and isolate or remove ancient machines that can no longer be patched.

Implications for Windows Users and Enterprises

For Windows administrators, this update forces a reckoning with both past and present. First, the two Defender vulnerabilities require an immediate check: verify that April and May 2026 security updates are applied. If patching is delayed, ensure that network-level mitigations, such as disabling Defender’s real-time scanning on critical servers (if alternative protections exist), are in place—though this is a risky trade-off.

Second, the legacy flaws demand scanning for unsupported operating systems. Tools like Microsoft’s Attack Surface Analyzer or third-party network scanners can identify lingering Windows XP, Server 2003, and Windows 7 boxes. For systems that cannot be patched, strict network segmentation and removal of network file-sharing protocols are mandatory. Windows versions already in Extended Security Updates (ESU) programs should have the relevant patches: MS08-067 for CVE-2008-4250 and MS10-046 for CVE-2010-2568 are over a decade old, but their absence remains a red flag.

Adobe’s presence highlights a separate sanitation task. Locate all instances of Flash Player and remove them entirely—Microsoft delivered a removal tool in KB4577586 for modern Windows versions, but legacy machines may need manual cleanup. For Adobe Reader, enterprises should enforce automatic updates and block the execution of older, unpatched versions through AppLocker or Windows Defender Application Control.

CISA’s action also hints at a shift in attacker behavior. The inclusion of Defender flaws from 2026 alongside ancient Windows bugs suggests that advanced persistent threat (APT) groups and ransomware actors blend sophisticated tools with vanilla exploits to evade detection. If a worm from 2008 can still find a beachhead, it’s a low-cost way to distribute a new Defender bypass payload.

The Broader Threat Landscape

May 2026 is proving to be an active month for vulnerability exploitation. Beyond today’s KEV additions, threat intelligence firms report a spike in attacks leveraging the newly patched Microsoft Defender RCE, particularly against defense contractors and energy companies. CISA’s rapid inclusion—just eight days after Patch Tuesday—underscores the urgency.

Meanwhile, the appearance of CVE-2010-2568 suggests a possible resurgence of air-gap jumping techniques. Stuxnet’s ghost is far from exorcised, and the LNK exploit remains a powerful tool for crossing isolated networks. Organizations with air-gapped systems must not only patch but also disable autorun and enforce strict media handling policies.

Moving Forward

The May 20, 2026 KEV update is a call to action that blends the historical with the immediate. Enterprises must confront both the decades-old skeletons in their network closets and the brand-new chinks in their defensive armor. Patch management programs that focus only on the latest CVEs are missing the zombies that refuse to stay dead. Conversely, teams that chase legacy flaws but lag on contemporary updates will get blindsided by in-the-wild Defender exploits.

CISA’s catalog is not meant to frighten but to focus. Each entry is a verified shot being fired at organizations right now. Ignoring an 18-year-old vulnerability is no different from ignoring a zero-day: both grant adversaries a foothold. The only rational response is to treat every vulnerability in the KEV as if it were published yesterday, and to apply the fix—or air-gap the asset—without delay.