The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of vulnerabilities is as follows –
- CVE-2026-2441 (CVSS score: 8.8) – A use-after-free vulnerability in Google Chrome that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- CVE-2024-7694 (CVSS score: 7.2) – An arbitrary file upload vulnerability in TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier that could allow an attacker to upload malicious files and achieve arbitrary system command execution on the server.
- CVE-2020-7796 (CVSS score: 9.8) – A server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow an attacker to send a crafted HTTP request to a remote host and obtain unauthorized access to sensitive information.
- CVE-2008-0015 (CVSS score: 8.8) – A stack-based buffer overflow vulnerability in Microsoft Windows Video ActiveX Control that could allow an attacker to achieve remote code execution by setting up a specially crafted web page.
The addition of CVE-2026-2441 to the KEV catalog comes days after Google acknowledged that “an exploit for CVE-2026-2441 exists in the wild.” It’s currently not known how the vulnerability is being weaponized, but such information is typically withheld until a majority of the users are updated with a fix so as to prevent other threat actors from joining the exploitation bandwagon.
As for CVE-2020-7796, a report published by threat intelligence firm GreyNoise in March 2025 revealed that a cluster of about 400 IP addresses was actively exploiting multiple SSRF vulnerabilities, including CVE-2020-7796, to target susceptible instances in the U.S., Germany, Singapore, India, Lithuania, and Japan.
“When a user visits a web page containing an exploit detected as Exploit:JS/CVE-2008-0015, it may connect to a remote server and download other malware,” Microsoft notes in its threat encyclopedia. It also said it’s aware of cases where the exploit is used to download and execute Dogkild, a worm that propagates via removable drives.
The worm comes with capabilities to retrieve and run additional binaries, overwrite certain system files, terminate a long list of security-related processes, and even replace the Windows Hosts file in an attempt to prevent users from accessing websites associated with security programs.
It’s presently unclear how the TeamT5 ThreatSonar Anti-Ransomware vulnerability is being exploited. Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the necessary fixes by March 10, 2026, for optimal protection.
Update
In a follow-up post published on February 22, 2026, TeamT5 said the vulnerability relates to an issue identified in 2024 and that all impacted customers have since migrated away from vulnerable versions of its ThreatSonar Anti-Ransomware product.
The Taiwanese security company said it has since enhanced its secure software development lifecycle and product security controls, as well as standardized internal incident response and vulnerability management processes.
(The story was updated after publication to include details from TeamT5.)
