Nvidia’s latest result has become a market signal for the entire AI economy. With record revenue, China uncertainty, rising energy constraints and huge infrastructure demand, 2026 is shaping as a defining year for Jensen Huang, Wall Street and the global AI race.
CISA’s latest KEV update mixes new Microsoft Defender flaws with legacy Windows and Adobe bugs, showing why exploited risk often sits in forgotten systems.
Microsoft has confirmed active exploitation of CVE-2026-42897, putting exposed on-prem Exchange and Outlook Web Access environments back under pressure.
CISA’s latest KEV update mixes new Microsoft Defender flaws with legacy Windows and Adobe bugs, showing why exploited risk often sits in forgotten systems.
The US Cybersecurity and Infrastructure Security Agency has added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue, reinforcing a consistent theme in cyber risk: exposure is often driven as much by ageing systems as by newly disclosed flaws.
The latest additions include two recent Microsoft Defender vulnerabilities alongside several legacy issues affecting Windows, Internet Explorer, DirectX, and Adobe Acrobat and Reader, originally identified between 2008 and 2010. The mix of old and new underscores the long tail of unpatched risk across enterprise environments.
CISA confirmed that all seven vulnerabilities were added on the basis of observed active exploitation. The two Microsoft entries are CVE-2026-41091 , an elevation-of-privilege flaw in Microsoft Defender, and CVE-2026-45498, a denial-of-service vulnerability affecting the same product.
Both vulnerabilities are now listed in the KEV catalogue, which many security teams treat as a prioritisation tool rather than a passive advisory source.
The Canadian Centre for Cyber Security has also issued guidance on the Microsoft vulnerabilities, identifying exposure in Microsoft Defender versions prior to 4.18.26040.7 and Microsoft Malware Protection Engine versions prior to 1.1.26040.8. This alignment across agencies elevates the issue from routine patching to an active exploitation priority.
The broader takeaway is that material risk does not always originate from newly disclosed vulnerabilities. Several issues in this update are more than 15 years old, highlighting persistent visibility and remediation gaps.
These gaps often sit in overlooked areas of the environment, including legacy endpoints, outdated system images, dormant applications, unmanaged software, and assets that fall outside standard patching processes.
KEV updates are increasingly viewed as a practical benchmark for vulnerability management maturity. The challenge is no longer the ability to generate extensive scan results, but the capacity to identify actively exploited vulnerabilities, map them accurately to internal systems, and remediate them within a meaningful timeframe.
While artificial intelligence does not directly feature in this update, the implications for AI-supported security operations are clear. The key question is whether AI-driven triage can meaningfully reduce noise and prioritise exploited vulnerabilities, or whether it simply accelerates the processing of existing backlogs without improving outcomes.
For boards and executive teams, the implications are direct. Organisations should confirm that KEV monitoring is embedded as a standing control, ensure Microsoft Defender deployments are current, assess any residual exposure to legacy Windows and Adobe systems, and verify that remediation reporting demonstrates closure rather than activity.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Microsoft has confirmed active exploitation of CVE-2026-42897, putting exposed on-prem Exchange and Outlook Web Access environments back under pressure.
NGINX Rift shows how a small rewrite-rule pattern can become a large operational risk. The flaw is not a universal one-request takeover, but exposed NGINX estates should still treat patching and configuration review as urgent.
Instructure has confirmed that a criminal threat actor accessed Canvas user information and messages, while ShinyHunters claims a far larger education-sector data haul affecting millions of students, teachers, and institutions worldwide.
Trellix says attackers gained unauthorised access to part of its source code repository, but has found no evidence that its release pipeline was affected or that code was exploited.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
