Pierluigi Paganini
May 22, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
CVE-2025-34291 (CVSS score of 9.4) is an origin validation error issue in Langflow, An attacker can exploit the flaw to execute arbitrary code and achieve full system compromise.
A report published by Obsidian Security back in December 2025 laid out exactly why CVE-2025-34291 is as dangerous as it sounds. The vulnerability chains three separate weaknesses together: overly permissive CORS settings, missing CSRF protection, and an endpoint that is designed to execute code, meaning an attacker does not need to find a clever bypass, they just need to reach something that was built to run code in the first place.
“The impact is severe: successful exploitation not only compromises the Langflow instance but also exposes all sensitive access tokens and API keys stored within the workspace. This can trigger a cascading compromise across all integrated downstream services in cloud and SaaS environments,” Obsidian noted at the time.
In March 2026, Ctrl-Alt-Intel published a report documenting active exploitation of CVE-2025-34291 by MuddyWater, an Iran-nexus APT group, which used the vulnerability to gain initial access to target networks. When a nation-state actor is actively using something in real intrusions, the conversation shifts from “you should patch this” to “if you have not patched this, assume you may already have a problem.”
CVE-2026-34926 (CVSS score of 6.7) is a directory traversal flaw in on-premise Trend Micro Apex One that lets a local attacker modify server tables and inject malicious code to affected agents. Trend Micro has confirmed that CVE-2026-34926 is actively exploited in the wild.
“We observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild.” reads the advisory. “This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.”
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by June 4, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
