The Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, signaling active exploitation by threat actors across critical infrastructure, Internet of Things (IoT) devices, and Apple products. This latest update underscores a persistent and evolving threat landscape where attackers are not discriminating between legacy systems and modern software, exploiting weaknesses wherever they can be found to gain initial access, move laterally, and execute malicious payloads. For Windows administrators and security professionals, this catalog serves as a mandatory action list, as binding operational directive (BOD) 22-01 requires all federal civilian executive branch (FCEB) agencies to remediate listed vulnerabilities within strict deadlines, setting a critical benchmark for all organizations.

The Five New Entries in CISA's KEV Catalog

Based on CISA's official bulletin and subsequent analysis, the newly added vulnerabilities represent a diverse cross-section of targets.

1. CVE-2024-21413 (Microsoft Windows SmartScreen Security Feature Bypass)

This critical vulnerability, with a CVSS score of 8.8, involves a bypass of the Microsoft Defender SmartScreen security feature. Attackers can craft malicious URLs that evade the SmartScreen prompt, potentially tricking users into executing downloaded files without the standard security warning. Microsoft patched this flaw in its February 2024 Patch Tuesday updates. Its addition to the KEV catalog confirms it is being exploited in the wild, likely in phishing campaigns aimed at credential theft or initial infection.

2. CVE-2021-40590 (Zoho ManageEngine ADSelfService Plus Authentication Bypass)

This is a critical authentication bypass vulnerability (CVSS 9.8) in Zoho ManageEngine ADSelfService Plus, a popular identity management solution. Exploitation allows an unauthenticated attacker to gain remote code execution (RCE) on the underlying server. Originally patched by Zoho in September 2021, its reappearance on the KEV list years later is a stark example of how attackers relentlessly scan for and exploit unpatched, internet-facing systems, especially in enterprise environments where such software manages critical authentication flows.

3. CVE-2022-2078 (Moxa MXview Series Network Management Software Path Traversal)

This high-severity path traversal vulnerability (CVSS 7.5) affects Moxa MXview network management software, used extensively in Operational Technology (OT) and Industrial Control System (ICS) environments. Successful exploitation could allow an attacker to read arbitrary files on the system. Moxa released patches in May 2022. Its exploitation highlights the acute risk to industrial networks, where outdated or difficult-to-patch software can create long-lived attack surfaces for espionage or disruptive attacks.

4. CVE-2022-30538 (Moxa MXview Series Network Management Software OS Command Injection)

Another critical flaw (CVSS 9.8) in the same Moxa MXview series, this OS command injection vulnerability could allow an authenticated attacker to execute arbitrary commands with system privileges. Patched concurrently with CVE-2022-2078, the pairing of these vulnerabilities demonstrates how attackers can chain flaws—first gaining a foothold, then escalating privileges—to fully compromise industrial network management systems.

5. CVE-2022-30323 (RuggedCom ROS) & CVE-2022-30322 (RuggedCom ROS)

These two high-severity vulnerabilities (CVSS 7.5 and 8.1 respectively) affect Sierra Wireless RuggedCom ROS, a router operating system deployed in harsh industrial environments. The flaws involve improper handling of serial-to-network traffic, which could lead to remote code execution. Patches were made available by Sierra Wireless in June 2022. Their active exploitation poses a direct threat to the core networking gear of power utilities, transportation systems, and manufacturing plants.

Analysis: The Strategic Implications of This KEV Update

This batch of KEV additions is not random; it reveals clear targeting patterns by advanced persistent threat (APT) groups and cybercriminals.

Cross-Sector Targeting: The inclusion of flaws in Microsoft Windows, enterprise software (Zoho), and industrial equipment (Moxa, Sierra Wireless) shows attackers are casting a wide net. The goal is often initial access: compromising a Windows workstation via a SmartScreen bypass, an IT server via ManageEngine, or an OT network device via MXview can all serve as the critical first step into a broader network.

Focus on Operational Technology (OT): Three of the five new entries directly impact industrial control systems. This aligns with a documented increase in state-sponsored and criminal activity against critical infrastructure. These systems often have longer patch cycles due to operational continuity requirements, making them lucrative, persistent targets. Exploiting network management software like MXview provides a high-value foothold with visibility and control over entire industrial networks.

Exploitation of "Aged" Vulnerabilities: Notably, most of these CVEs were patched by vendors in 2021 or 2022. Their active exploitation in 2024 is a powerful reminder that the security patch gap is a primary attack vector. Threat actors continuously scan the internet for instances of software with known, unpatched vulnerabilities. This proves that vulnerability management is not a one-time event but a continuous cycle of asset discovery, prioritization, and remediation.

The Critical Role of CISA's KEV Catalog in Modern Defense

CISA's KEV Catalog has evolved into one of the most important tools for proactive cyber defense. Its authority stems from BOD 22-01, which mandates that FCEB agencies patch vulnerabilities on the KEV list within specific timeframes—often as short as two weeks for critical flaws. While only legally binding for federal agencies, the catalog provides an invaluable, curated threat intelligence feed for all organizations.

It Acts as a Force Multiplier: Instead of every organization sifting through thousands of new CVEs monthly, CISA's analysts, in collaboration with partners, identify the subset that is being actively used in real-world attacks. This turns the catalog into a prioritized "must-patch" list, cutting through the noise of the vulnerability disclosure process.

It Drives Action: The binding deadlines for federal agencies create a market signal, pushing vendors to provide clear patching guidance and accelerating the overall ecosystem's response to active threats. Private sector companies increasingly use the KEV as a benchmark for their own patch management SLAs.

Actionable Guidance for Security Teams

For IT and security teams, especially in environments with Windows systems connected to or managing OT assets, this update demands immediate attention.

  1. Immediate Inventory and Assessment:

    • Scan your enterprise for any instances of Zoho ManageEngine ADSelfService Plus, Moxa MXview, and Sierra Wireless RuggedCom devices or software.
    • Verify the patch levels against the vendor advisories for CVE-2021-40590, CVE-2022-2078, CVE-2022-30538, CVE-2022-30323, and CVE-2022-30322.
    • Ensure all Windows systems have applied the February 2024 (or later) cumulative updates to address CVE-2024-21413.

  2. Prioritize OT/ICS Security:

    • If you operate industrial networks, assume your OT assets are targets. Isolate OT networks from corporate IT networks as much as possible using robust firewalls and unidirectional gateways.
    • Work with OT engineers to establish secure, tested patching procedures for ICS/SCADA systems that minimize downtime.
    • Monitor network traffic to and from OT management stations for anomalous activity.

  3. Adopt a KEV-Centric Patch Strategy:

    • Integrate the CISA KEV Catalog feed into your vulnerability management platform or Security Information and Event Management (SIEM) system.
    • Establish an internal policy to treat all KEV-listed vulnerabilities affecting your assets as critical, aiming to remediate them within CISA's mandated timelines (or faster).
    • Use the catalog to validate and reprioritize the findings from your regular vulnerability scans.

  4. Defense-in-Depth Beyond Patching:

    • For vulnerabilities like the SmartScreen bypass (CVE-2024-21413), technical controls are essential, but user education remains critical. Reinforce training on identifying phishing attempts and suspicious downloads.
    • Implement application allowlisting to prevent the execution of unauthorized software, which can mitigate the impact of some exploitation attempts.
    • Ensure robust endpoint detection and response (EDR) coverage, especially on systems that cannot be immediately patched, to identify and stop post-exploitation activity.

The Bigger Picture: A Call for Continuous Vigilance

The latest KEV update is a microcosm of the modern cyber conflict: attackers are pragmatic, exploiting whatever works, whether it's a year-old bug in industrial software or a recent flaw in a ubiquitous OS. The convergence of IT and OT networks has expanded the attack surface, making asset visibility and comprehensive vulnerability management more critical than ever.

For Windows-centric shops, the message is clear: your security perimeter extends beyond Windows Server and Windows 11. It includes the management interfaces for your network switches, the identity management appliances in your server room, and the industrial routers on the factory floor. A breach that starts on a forgotten ManageEngine server can easily pivot to the domain controllers running Windows Server.

CISA's catalog provides the intelligence. The responsibility to act on it lies with every organization. By treating the KEV not just as a federal requirement but as a gold-standard threat feed, security teams can shift from a reactive posture to a proactive one, systematically eliminating the very vulnerabilities that adversaries are counting on to succeed.