CISA Adds Five Bugs to KEV; Two Linux Flaws Draw Immediate Attention

The U.S. Cybersecurity and Infrastructure Security Agency added five vulnerabilities to its Known Exploited Vulnerabilities catalog, drawing attention to a mix of newly weaponized and historically significant flaws that are being abused in the wild. Two of the entries target Linux ecosystems: a critical authentication-bypass bug in GNU Inetutils’ telnetd that allows attackers to subvert authentication via crafted Telnet interactions and an older Linux kernel integer overflow that can be turned into local privilege escalation under particular memory and resource conditions. Security researchers observed rapid, unsolicited probing targeting the Inetutils flaw within days of disclosure, reporting roughly sixty distinct attempts from about 18 unique sources—an exploitation tempo that increases the chance of compromise for internet-facing Telnet services. CISA paired the Linux items with reports of active exploitation against mail server software and a Microsoft Office zero-day (CVE-2026-21509), the latter of which Microsoft patched via emergency updates and which CISA directed federal agencies to remediate by Feb. 16, 2026. Microsoft’s public guidance confirms in-the-wild use but withholds granular telemetry to limit operational amplification; exploitation requires opening a specially crafted document and appears to favor selective, high-value targeting rather than indiscriminate mass phishing. For defenders, the immediate priorities are clear: inventory and isolate publicly reachable Telnet servers, apply vendor patches or vendor-recommended mitigations for affected components, deploy compensating network filters (ACLs, firewall rules) and host hardening, and enhance detection for behavioral indicators tied to both document-based exploitation and anomalous Telnet activity. The inclusion in the KEV list shortens acceptable remediation windows for federal and critical infrastructure entities and signals that historical bugs must be reevaluated when exploitation is observed. Longer-term defensive work should emphasize reducing exposure to legacy services, tightening telnet-era attack surfaces, improving visibility into process-level document handling, and routing rapid patch cycles through staged controls to balance stability and risk. Organizations unable to immediately deploy updates should apply published mitigations, scrutinize endpoint telemetry for staged exploit patterns, and treat any suspected successful exploit as likely targeted, triggering incident response and threat-hunting exercises. Overall, the KEV additions illustrate how both legacy protocol flaws and modern document-handling defects can be turned into effective attack vectors when attackers can rapidly weaponize disclosure or discover long-lived vulnerabilities.