Vulnerability Management You can now nominate vulnerabilities for CISA’s KEV with this form May 22, 2026 Share By Laura French The Cybersecurity and Infrastructure Security Agency (CISA) unveiled a new nomination form for its Known Exploited Vulnerabilities catalog on Thursday, inviting researchers, vendors and other industry partners to report their findings. The new reporting avenue aims to engage the wide cybersecurity community to more quickly identify vulnerabilities under exploitation as the time-to-exploit (TTE) for newly disclosed vulnerabilities continues to narrow. “Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale,” said Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity, in a statement. “CISA strongly encourages researchers and organizations to share vulnerability threats and help us secure the systems Americans rely on every day.” A blog post from 2023 lends some insight into the challenges CISA faces identifying and validating exploited vulnerabilities without a more direct means of nomination. Vulnerabilities considered for KEV submission must have an assigned CVE number, credible evidence of exploitation in the wild and an effective mitigation available. Former Executive Assistant Director for Cybersecurity Eric Goldstein, Vulnerability Analyst Elizabeth Cardona and former Cyber Security Section Chief Tod Beardsley described a process of “chasing whispers of exploitation in the wild that circulate online,” “sorting through vast amounts of data” and doing “detective work” to validate genuine malicious exploitation, which includes distinguishing between exploitation and simple scanning and reconnaissance. The CISA officials also wrote about difficulty finding remediation information for some exploited vulnerabilities, saying the process can take days. “Our team spends hours scouring security forums, manufacturer websites, open-source mailing lists, end-of-life announcements, and vulnerability databases to search for a patch or official mitigation guidance,” the blog states. As revealed by Verizon’s 2026 Data Breach Investigations Report (DBIR) , published this week, patching of KEV vulnerabilities by organizations is not much faster now than it was in 2023, yet organizations are dealing with more vulnerability instances than ever before. The report found that about 71% of KEV vulnerability instances remained unpatched after seven days in 2023 compared with 69% in 2025, and in both years, 35% remained unpatched on Day 28. Yet in 2023, only about 120.8 million vulnerability instances were recorded, compared with 527.3 million in 2025. The current median time for full remediation of KEV vulnerabilities per organization is 43 days. Meanwhile the average TTE for newly disclosed vulnerabilities was estimated to be as little as five days in 2025, with recent cases such as the Linux “Copy Fail” vulnerability showing exploitation within 48 hours. As the industry anticipates even more rapid vulnerability discovery and exploitation development driven by AI tools such as Claude Mythos Preview, CISA is reportedly considering shortening the average KEV deadline for federal civilian executive branch agencies from about two to three weeks to just three days. Laura French Related Vulnerability Management CISA adds Trend Micro Apex One and Langflow flaws to exploited vulnerabilities catalog SC Staff May 22, 2026 The vulnerabilities added are CVE-2025-34291, an origin validation error in Langflow with a CVSS score of 9.4, and CVE-2026-34926, a directory traversal flaw in Trend Micro Apex One (on-premise) with a CVSS score of 6.7. Vulnerability Management Cisco patches critical 10.0 flaw in Secure Workload APIs Steve Zurier May 22, 2026 Cisco patches critical 10.0 API flaw in Secure Workload platform. Vulnerability Management Nvidia releases driver updates to fix 14 critical vulnerabilities SC Staff May 21, 2026 The vulnerabilities affect GeForce, RTX, Quadro, Tesla, and NVS product lines, as well as vGPU and Cloud Gaming software. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds