CISA KEV Adds Four Critical CVEs Patch ConfigMgr Notepad++ SolarWinds Apple dyld Now

CISA today added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog — a move that forces federal agencies to prioritize fixes and should put every security team on high alert. The four CVEs are: CVE-2024-43468 (Microsoft Configuration Manager — unauthenticated SQL injection enabling RCE), CVE-2025-15556 (Notepad++ WinGUp updater — download-of-code-without-integrity-check), CVE-2025-40536 (SolarWinds Web Help Desk — security control bypass), and CVE-2026-20700 (Apple dyld memory corruption / multiple buffer overflow). CISA’s action is based on evidence of exploitation and places these flaws on the agency’s remediation schedule under Binding Operational Directive (BOD) 22-01. For defenders, the message is simple: inventory, patch, verify, and hunt — immediately.

Background / Overview​

CISA’s Known Exploited Vulnerabilities Catalog is a “living list” of CVEs that CISA has identified as being exploited in the wild and that therefore pose a material risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate catalog-listed vulnerabilities by the specified due date; in practice, the KEV listing also acts as a de facto high-priority alert for private sector organizations, managed service providers, and critical infrastructure operators.
Why KEV additions matter:

• They are evidence-driven: CISA lists CVEs only when there’s information linking them to active exploitation.
• They carry operational mandates for federal agencies under BOD 22-01.
• They concentrate risk: the CVEs added today affect software used for endpoint management, developer utilities and update processes, IT service desk platforms, and core OS runtime components — all high-value targets for attackers.

Before we drill into each flaw, two important operational notes:

• Historically, many KEV additions have come with compressed remediation windows; organizations should assume urgency even if the public advisory does not list a calendar deadline. Verify the KEV entry for the agency-mandated due date and treat it as high-priority.
• Some public details about exploitation remain limited; when CISA says “based on evidence of active exploitation,” that evidence may come from private incident response, vendor reports, or classified telemetry. Where public proof is sparse, defenders should nonetheless act on the precautionary principle.

---

CVE-2024-43468 — Microsoft Configuration Manager (SCCM): Unauthenticated SQL injection → RCE​

What it is​

This is an unauthenticated SQL injection in the Microsoft Configuration Manager (ConfigMgr / SCCM) MP_Location service. An attacker with network access to a Management Point (MP) can send crafted messages that inject SQL into the database back end. Because the MP’s database account has high privileges, successful exploitation can escalate to remote code execution by leveraging SQL Server mechanisms (for example, enabling and using xp_cmdshell).

Affected products and patch status​

• Affects Microsoft Configuration Manager versions prior to the patched releases (notably versions earlier than the 2403 baseline and older supported branches). Microsoft published an update and associated hotfix guidance; applying Microsoft’s security update or the hotfix referenced by Microsoft’s advisory is the remediation path.
• Public proof-of-concept code has been published and weaponized scripts exist in open repositories; defenders should treat this as an actively abused, high-impact vulnerability.

Why this is dangerous​

• Distribution power: ConfigMgr is a widely used enterprise management platform with the ability to push software and commands to thousands of endpoints. Compromise of a ConfigMgr server can be converted into mass endpoint compromise.
• No authentication required: The injection vectors are exploitable without credentials if the MP is reachable.
• High privilege: The database context executes as a privileged principal; attackers can pivot from the SQL layer to system-level control.

Immediate mitigation and detection​

• Apply Microsoft’s published patches or hotfixes for ConfigMgr immediately and reboot if required.
• If you cannot patch instantly:
• Restrict network access to Management Points (block external access, enforce IP allowlists).
• Limit connectivity between MPs and other networks via network segmentation and host-based firewall rules.
• Detection guidance:
• Hunt for anomalous entries in MP_Location logs and sysadmin-level SQL statements issued from MP service accounts.
• Look for creation of unexpected SQL logins, activation of xp_cmdshell, or unusual scheduled tasks installed by the Configuration Manager service accounts.
• Verify remediation:
• Confirm the specific hotfix or minimum patched version on servers, and verify that MPs and database servers are not reachable from untrusted networks.

Analysis and risk​

This vulnerability is a textbook example of how tooling designed to manage endpoints can become a large-scale attack surface. The availability of public exploit code and the unauthenticated nature of the flaw make rapid remediation essential. Organizations should review their patch automation and configuration management practices to avoid the worst-case scenarios: lateral spread, ransomware deployment, or supply-of-malicious-updates via compromised management tooling.

---

CVE-2025-15556 — Notepad++ WinGUp Updater: Download-of-Code Without Integrity Check​

What it is​

The Notepad++ WinGUp updater failed to cryptographically verify the integrity and authenticity of downloaded update metadata and installer binaries. If an attacker can intercept or redirect update traffic (for example, via DNS hijack, HTTP redirect, or compromised hosting), they could cause WinGUp to download and run an attacker-controlled installer, achieving arbitrary code execution at the user level.

Affected products and patch status​

• Affected: Notepad++ versions prior to 8.8.9 (when installed with the WinGUp-based auto-updater).
• Fix: Notepad++ released version 8.8.9, which hardens the updater to verify digital signatures and certificate chain information before executing downloaded installers. The project also migrated hosting and published mitigations and guidance.
• Evidence: Multiple security teams reported targeted update-hijacking incidents prior to the fix; some reporting indicates the exploitation was selective and hosted-level (not necessarily a code-level flaw in the editor itself).

Why this is dangerous​

• Supply/update-channel abuse: Update hijacking is a high-value attack vector because it bypasses many endpoint protections — updates are trusted by users and often run with installer privileges.
• Selective targeting: Hosting- or infrastructure-level compromises can be used to target specific victims while avoiding mass detection.
• Widespread install base: Notepad++ is ubiquitous on developer and admin workstations; compromise can lead to credential theft, tooling subversion, and second-stage payload delivery.

Immediate mitigation and detection​

• Update Notepad++ to 8.8.9 (or the vendor’s current secure release) across all workstations.
• Verify installer signatures: Check that the installed Notepad++ binaries are signed by the vendor’s trusted certificate (GlobalSign or the signing key cited by the vendor) and remove any old self-signed root certificates installed as a workaround.
• Detection and hygiene:
• Search system and temporary folders for unexpected updater binaries or installers.
• Audit network logs for connections to unexpected update endpoints or suspicious redirects at DNS or HTTP layers.
• Use application control (AppLocker, Microsoft Defender Application Control) to prevent execution of unsigned or unknown installers.
• For managed fleets:
• Disable auto-update on corporate machines where updates are centrally managed and push the patched client via your software distribution system.
• Rotate and verify secrets and credentials if you detect compromise of a workstation used by developers or administrators.

Analysis and risk​

This incident highlights the persistent supply chain risk: even a small signing or verification gap in an updater can be exploited by advanced actors. The corrective changes introduced (signature verification and migration of infrastructure) are standard but critical. For enterprises, the takeaways are to treat developer tooling and editors as high-risk assets and to enforce strict update policies and code-signing verification.

---

CVE-2025-40536 — SolarWinds Web Help Desk: Security Control Bypass​

What it is​

A security control bypass in SolarWinds Web Help Desk that could allow an unauthenticated attacker to access restricted functionality. The issue affects specific WHD versions and is rated as High severity.

Affected products and patch status​

• Affected: SolarWinds Web Help Desk 12.8.8 Hotfix 1 and earlier (SolarWinds lists versions in advisory details).
• Fix: The vulnerability is addressed in the Web Help Desk 2026.1 release; SolarWinds published an advisory describing affected versions, CVSS, and fixed versions.

Why this is dangerous​

• ITSM platform exposure: IT service management platforms often integrate with asset inventories, credentials, and privileged workflows. An attacker who gains unauthorized access to admin or internal interfaces can abuse integrations to obtain credentials or push malicious changes.
• Fresh target of interest: SolarWinds’ products have long been attractive to attackers due to their privileged position in IT estates; while this is not the same as previous supply chain compromises, the blast radius remains significant if the product is exposed to untrusted networks.

Immediate mitigation and detection​

• Apply SolarWinds’ 2026.1 update or the vendor’s recommended hotfix as a first step.
• If a timely patch is impossible:
• Restrict access to Web Help Desk to internal IP ranges or force access only via VPN or hardened reverse proxies.
• Apply WAF/IPS rules to detect and block suspicious requests that attempt to reach administrative endpoints.
• Detection guidance:
• Audit Web Help Desk logs for unauthenticated requests reaching admin-only functionality.
• Monitor for anomalous API calls, creation of new administrative accounts, or unexpected data exports.
• Privilege and credential hygiene:
• Rotate any credentials stored in the Web Help Desk system that may have been exposed.
• Limit API keys and integrated service accounts and validate their scopes.

Analysis and risk​

This vulnerability is high-risk because an unauthenticated bypass can reduce the time and skill required to escalate into operational compromise. SolarWinds customers should prioritize this patch and verify that remotely accessible control planes are behind hardened access controls.

---

CVE-2026-20700 — Apple dyld Memory-Corruption / Multiple Buffer Overflow​

What it is​

A memory corruption issue in dyld (Apple’s Dynamic Link Editor) that could allow arbitrary code execution. Apple disclosed that this flaw had been exploited in “extremely sophisticated” targeted attacks against specific individuals. The flaw affects multiple Apple operating systems and is tracked as a zero-day.

Affected products and patch status​

• Fixed in: iOS/iPadOS/watchOS/tvOS/visionOS/macOS Tahoe 26.3 and the corresponding platform updates (Apple 26.3 family).
• Apple explicitly states the issue may have been exploited in targeted, sophisticated attacks and names dyld as the vulnerable component. Apple released security updates and an advisory mentioning prior related CVEs that were chained in the same incidents.

Why this is dangerous​

• Low-level runtime: dyld is the component that loads and links executable code and libraries. A flaw here can be abused to subvert application and system behavior broadly.
• Real-world exploitation: Apple’s wording indicates active exploitation against high-value targets; dyld bugs can be exploited without obvious user interaction depending on the attack vector, and they are rarely easy to detect.
• Cross-platform impact: The bug affects Apple’s entire OS family — desktop, mobile, and emerging platforms — broadening the possible target set.

Immediate mitigation and detection​

• Apply Apple’s platform updates immediately: upgrade to 26.3 family releases on iPhone, iPad, Mac, Apple TV, watchOS, and visionOS devices.
• For high-value or sensitive devices:
• Treat any device that cannot be updated as high-risk; limit network access and avoid connecting to untrusted networks.
• Monitor for lateral movement from mobile devices into enterprise resources (VPN logs, authentication anomalies).
• Detection guidance:
• Use EDR/MDM telemetry to search for suspicious process launches, unusual code-injection behaviors, or persistence mechanisms associated with dyld exploitation.
• Be aware that targeted exploits are often stealthy; hunt for anomalous behavior and validate device integrity where suspicion exists.

Analysis and risk​

Apple’s confirmation of exploitation elevates the severity beyond theoretical risk. The dyld component is foundational; exploits here are prized by advanced persistent threat (APT) actors engaged in targeted surveillance or intrusion. The recommended action is immediate patching and additional monitoring for indicators of targeted compromise.

---

What organizations should do now — a prioritized playbook​

Every organization should treat a KEV addition as an incident of elevated priority. The following is a recommended, practical sequence defenders can execute immediately.

• Inventory — within hours
• Identify whether any internal assets run the affected products or versions (ConfigMgr Management Points, Notepad++ instances that auto-update, SolarWinds WHD, Apple devices on older OS versions).
• Prioritize externally reachable instances and management planes.
• Patch or mitigate — within 24–72 hours
• Apply vendor-supplied patches or hotfixes:
• Microsoft: apply the ConfigMgr hotfix/update corresponding to CVE-2024-43468.
• Notepad++: upgrade to 8.8.9 (or vendor guidance) and verify signatures.
• SolarWinds: update to Web Help Desk 2026.1 or apply listed hotfix.
• Apple: upgrade devices to 26.3 platform releases.
• Where patching is not immediately possible:
• Restrict network exposure (block management ports, put devices behind VPNs).
• Disable auto-update mechanisms that can be abused, or move update delivery to a controlled internal repository.
• Apply host and network-based compensating controls (WAF, IPS signatures, application allowlists).
• Verify and validate — within 1 week
• Confirm version numbers and hotfix presence; do not assume a patch orchestrated by a management system succeeded — verify on host level.
• Review access controls, firewall rules, and routing policies to ensure management interfaces are not exposed.
• Hunt and investigate — ongoing
• Search logs for indicators described earlier (e.g., suspicious SQL statements against ConfigMgr DB, unexpected installers from the Notepad++ updater, admin-level functionality accessed on SolarWinds WHD, and dyld-related crashes or suspicious code loads).
• If compromise is suspected, isolate affected hosts, collect forensic artifacts, and escalate to IR/E-Discovery teams.
• Report and coordinate
• If you find evidence of exploitation, report incident activity to your national incident response body and to CISA according to your reporting obligations.
• Share IOCs with trusted partners and threat-sharing communities.

---

Detection hints and hunting checks (practical TTPs)​

• Microsoft Configuration Manager (CVE-2024-43468)
• Look for atypical SQL queries in the Configuration Manager database.
• Check MP_Location logs for suspicious SourceID fields containing SQL fragments.
• Hunt for new local accounts or logins created in SQL Server after the disclosure date.
• Notepad++ WinGUp (CVE-2025-15556)
• Search for installer-execution events originating from Temp directories or from WinGUp processes.
• Verify code-signing status of Notepad++ installer binaries on endpoints.
• Review DNS logs and web proxy logs for redirect patterns to previously unknown update hosts.
• SolarWinds Web Help Desk (CVE-2025-40536)
• Inspect WHD API logs for unauthenticated calls to admin endpoints.
• Look for abnormal exports or data dumps around the advisory publication date.
• Check for newly created service accounts or API tokens with elevated privileges.
• Apple dyld (CVE-2026-20700)
• Monitor for unexpected dyld load failures, abnormal process crashes, or signs of in-memory code manipulation.
• For managed fleets, review MDM telemetry for unsanctioned configuration changes or persistence hooks.

---

Broader analysis — what this cluster tells us about the threat landscape​

• Attackers continue to target tooling and update pipelines. The Notepad++ incident reinforces a blunt lesson: software update mechanisms and hosting infrastructure are high-payoff targets, and weaknesses there can enable selective espionage or broad compromise.
• Management systems are prime targets for mass compromise. The Microsoft Configuration Manager flaw underscores the systemic danger when endpoint management systems — which have broad privileges and distribution capability — are vulnerable.
• IT service platforms remain a critical control plane. SolarWinds Web Help Desk is a reminder that ITSM and ticketing systems can become pivot points into privileged workflows.
• Zero-days and targeted exploitation remain active. Apple’s dyld advisory and admission of targeted exploits demonstrates that even vendors with strong security programs find zero-days chained and used against specific targets.

Operationally, these trends demand an emphasis on:

• Trusted update paths and cryptographic verification.
• Minimizing external exposure of management endpoints.
• Rapid, auditable patch verification and enforcement.
• Continuous hunting around management and build infrastructure.

---

Quick reference — immediate actions (at a glance)​

• For Microsoft Configuration Manager (CVE-2024-43468): apply Microsoft’s ConfigMgr updates/hotfixes; restrict MP network access; hunt for anomalous SQL activity.
• For Notepad++ (CVE-2025-15556): upgrade to Notepad++ 8.8.9; verify binary signatures; remove old root certs; use application control for installers.
• For SolarWinds Web Help Desk (CVE-2025-40536): update to WHD 2026.1 or apply vendor advisories; restrict admin interfaces; monitor for unauthorized admin actions.
• For Apple platforms (CVE-2026-20700): upgrade to 26.3 releases across iOS/iPadOS/macOS/watchOS/tvOS/visionOS; isolate devices that cannot be patched; hunt for stealthy indicators.

---

Closing assessment — strengths, blind spots, and risk posture​

CISA’s addition of these four CVEs to the KEV Catalog is an important, evidence-driven signal that defenders should not ignore. Each vulnerability targets a different but critical part of modern IT estates: management consoles, update channels, ITSM systems, and OS runtime components. Taken together, they illustrate where attackers get the most leverage: trusted update paths and privileged control planes.
Strengths in the current environment:

• Vendors responded with patches and advisories — fixes are available for all four items.
• Incident response community and public researchers have produced detection artifacts and PoCs that speed defensive action.

Persistent risks and blind spots:

• Operational patching remains slow in many organizations; supply chain and management-plane exposures often persist for weeks or months.
• Some exploitation evidence remains non-public or limited; defenders must therefore assume worst-case scenarios and pursue proactive hunting rather than waiting for definitive proof.
• Targeted attacks (as Apple described) are inherently harder to detect and mitigate; they require elevated telemetry coverage and rapid, coordinated response.

For security teams the prescription is unchanged but urgent: inventory, patch, verify, and hunt. The presence of these four CVEs in the KEV Catalog is a reminder that the most dangerous threats often exploit the very tools organizations use to operate and update themselves. Treat those tools as critical attack surfaces, and build controls and verification into every step of the update and management lifecycle.

---

If you manage configurations, software distribution, or device fleets, prioritize the fixes listed above, validate that updates were installed correctly, and begin hunts for the described indicators without delay. The technical details and suggested mitigations in vendor advisories and platform security pages provide the specifics you’ll need for verification — but the immediate operational imperative is to act now and ensure those critical control planes are not the vector that lets attackers pivot into your environment.

---

Source: CISA CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA