CISA Flags Actively Exploited Flaws in Microsoft ConfigMgr, SolarWinds Web Help Desk, Notepad++, and Apple Devices

CyberDefender 10 mins0

On February 12–13, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog to include four significant software security weaknesses that pose a real-world threat to enterprise, personal, and governmental networks. These additions reflect increasing evidence of exploitation in the wild and a mandate for rapid mitigation under CISA’s Binding Operational Directive (BOD) 22-01.

The newly cataloged CVEs are:

  1. CVE-2024-43468 – Microsoft Configuration Manager SQL Injection
  2. CVE-2025-15556 – Notepad++ Update Integrity Bypass
  3. CVE-2025-40536 – SolarWinds Web Help Desk Security Control Bypass
  4. CVE-2026-20700 – Apple Multiple Buffer Overflow Memory Corruption

Each vulnerability varies in attack vector, affected software, and potential impact, but all underscore a common theme: trusted software abused via improper input handling, insufficient verification, or flawed control checks. Below, we unpack the technical details and implications of each.

CVE-2024-43468: Remote SQL Injection in Microsoft Configuration Manager

Vulnerability Summary:
CVE-2024-43468 is a critical SQL Injection vulnerability in Microsoft Configuration Manager (ConfigMgr / SCCM) that allows an unauthenticated network adversary to send specially crafted requests to a Management Point (MP) service and execute arbitrary SQL on the site database.

Technical Analysis:

  • Root Cause: Improper input sanitization during request processing enables SQL commands to be injected.
  • Exploit Vector: Remote, no authentication required; attacker needs network access to the SCCM Management Point.
  • Impact: Remote code execution (RCE) with system-level privileges is possible by chaining the SQL injection with database shell features (e.g., xp_cmdshell), effectively letting attackers run arbitrary OS commands.
  • Severity: CVSSv3 Critical (commonly reported around 9.8).
  • Mitigation: Microsoft issued patches via its Update Guide; organizations must fully patch ConfigMgr servers and restrict MP network access.

Why It Matters:
ConfigMgr is widely used in enterprise environments to deploy software and manage updates across thousands of endpoints. Exploiting an unauthenticated SQL injection at this layer can give attackers broad lateral movement and administrative control of target networks.

CVE-2025-15556: Notepad++ Update Integrity Verification Bypass

Vulnerability Summary:
CVE-2025-15556 affects Notepad++ versions prior to 8.8.9 that leverage the WinGUp updater, which fails to perform proper cryptographic verification on downloaded update data. An attacker who can intercept or redirect update traffic can force the installation of malicious binaries at the user’s privilege level.

Technical Analysis:

  • Cause: Missing integrity checks on update payloads; no signature validation of metadata or installer packages.
  • Attack Method: Man-in-the-middle (MITM) or network redirection funnels the Notepad++ update mechanism to download attacker-controlled content.
  • Impact: Arbitrary code execution under the context of the logged-in user.
  • Severity: CVSS often rated in the High range (7.x).
  • Mitigation: Update Notepad++ to 8.8.9 or later, where integrity checks are fixed.

Why It Matters:
Though Notepad++ is a non-privileged editor tool, its broad installation base means this flaw can be abused via rogue Wi-Fi, DNS poisoning, or compromised network segments to gain unauthorized footholds on exposed endpoints.

CVE-2025-40536: SolarWinds Web Help Desk Security Control Bypass

Vulnerability Summary:
CVE-2025-40536 is a security control bypass vulnerability in SolarWinds Web Help Desk (WHD) that allows an attacker to access restricted functionality without authentication, undermining fundamental access checks.

Technical Analysis:

  • Cause: Flawed implementation of access controls (CWE-693 Protection Mechanism Failure) lets unauthorized requests reach administrative or sensitive operations.
  • Exploit Vector: Remote, no authentication needed; attacker can make GET/POST requests to restricted endpoints and trigger business logic meant only for authenticated administrators.
  • Impact: Exposes sensitive workflows, potentially enabling further exploitation or information discovery.
  • Severity: Some sources rate High (~8.1), though related SolarWinds RCE issues are scored Critical.
  • Mitigation: Upgrade SolarWinds WHD to version 2026.1 or later, and consider placing it behind a hardened WAF or restricting access via network segmentation.

Why It Matters:
WHD is a popular support ticketing and asset management suite. Improper access controls can allow attackers to enumerate, manipulate, or abuse internal workflows—especially on poorly segmented internal networks. Importantly, this flaw exists alongside active exploitation of other WHD vulnerabilities, increasing compound risk.

CVE-2026-20700: Apple Multiple Buffer Overflow (Memory Corruption)

Vulnerability Summary:
CVE-2026-20700 is a memory corruption issue in Apple’s Dynamic Link Editor (dyld) that, if exploited, lets an attacker with memory write capabilities execute arbitrary code on a range of Apple platforms including iOS, macOS, tvOS, watchOS, and visionOS.

Technical Analysis:

  • Cause: Improper bounds checking during dynamic linking and image loading causes buffer overflows (CWE-119).
  • Exploit Conditions: Attacker must achieve memory write access (e.g., via another flaw, sandbox escape, or local privilege escalation) to reliably trigger arbitrary code execution.
  • Implicated Systems: Apple devices across phone, tablet, desktop, and wearable product lines.
  • Severity: CVSS typically High to Critical depending on context.
  • Mitigation: Apple has backported fixes in updates (e.g., iOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, visionOS 26.3); immediate patching is crucial.

Why It Matters:
This flaw has documented targeted exploitation, reportedly used in sophisticated attacks against specific individuals before broader public disclosure. Its inclusion in the KEV list underscores its real-world exploitation vector and the threat posed to user privacy and device security.

Operational and Mitigation Considerations

Why CISA’s KEV Additions Are Significant

CISA’s KEV catalog is curated based on evidence of exploitation in active attacks, not just theoretical risk. Adding these CVEs triggers mandatory patch timelines for U.S. federal civilian agencies and signals to industry that real attackers are leveraging these flaws.

Broad Takeaways for Defenders

  1. Apply Patches Urgently: Ensure all affected products are updated to the vendor-released fixes.
  2. Reduce Exposure: Remove public internet exposure for management interfaces like SCCM and WHD.
  3. Network Controls: Segment and firewall restrict traffic to critical services; favor internal-only access.
  4. Monitor Anomalies: Look for unusual access patterns, especially unauthenticated requests that access privileged functionality.
  5. Use Defense in Depth: Compensating controls (WAFs, endpoint detection, MFA, logging) can reduce the window of opportunity even if a patch is delayed.

Conclusion

The addition of CVE-2024-43468, CVE-2025-15556, CVE-2025-40536, and CVE-2026-20700 to CISA’s Known Exploited Vulnerabilities Catalog reflects a deepening adversary focus on exploiting both enterprise-grade infrastructure (e.g., Configuration Manager, SolarWinds WHD) and consumer devices (e.g., Apple platforms). The technical details underscore that insufficient input validation, absent integrity checks, and flawed access controls continue to be key attack vectors exploited in the wild. Rapid patch management, combined with layered security controls, remains essential to reduce exposure and defend against both automated and targeted attacks.

CyberDefender