CISA Expands KEV Catalog, Setting a Hard Federal Patch Deadline
The CISA KEV catalog has been updated with two newly confirmed exploited vulnerabilities affecting Langflow and Trend Micro Apex One, raising the urgency for government defenders. Once a flaw enters this catalog, remediation is no longer optional for Federal Civilian Executive Branch agencies; it becomes a time-bound mandate. For the Langflow vulnerability and the Trend Micro Apex One vulnerability, CISA has established a federal patch deadline of June 4, 2026, after confirming evidence of active exploitation in real-world environments. Failure to meet this deadline leaves exposed systems at elevated risk of compromise from threat actors already weaponizing these bugs. These additions come amid a broader wave of exploited vulnerabilities across major platforms, underscoring that patch management is now a central pillar of regulatory compliance as well as operational security for public-sector networks.
Langflow Vulnerability Opens Door to Full System and Downstream Service Compromise
CVE-2025-34291, the newly listed Langflow vulnerability, carries a CVSS score of 9.4 and represents a high-impact remote code execution pathway. It stems from an origin validation error that attackers can abuse to execute arbitrary code on a vulnerable Langflow instance, ultimately enabling full system compromise. Research has shown that this exploited vulnerability combines overly permissive CORS settings, a lack of CSRF protection, and an endpoint intentionally capable of executing code. Once breached, not only is the Langflow environment at risk, but all sensitive access tokens and API keys stored within the workspace can be exposed. That exposure can trigger a cascading compromise across integrated cloud and SaaS services, amplifying the blast radius far beyond the initial host. Security analysts have linked real-world exploitation of this Langflow vulnerability to a state-aligned threat group using it for initial access to target networks.
Trend Micro Apex One Flaw Enables Malicious Code Deployment via Directory Traversal
CVE-2026-34926 affects on-premise deployments of Trend Micro Apex One and has also been added to the CISA KEV catalog following observed exploitation attempts. Rated 6.7 on the CVSS scale, this directory traversal vulnerability allows a pre-authenticated local attacker with prior administrative access to modify a key table on the Apex One server. By manipulating this table, the attacker can inject malicious code that may be deployed to endpoint agents managed by the compromised server, effectively turning a security platform into a distribution mechanism for malware. The vendor has confirmed at least one exploitation attempt in the wild, highlighting that this is not a theoretical risk. Although the flaw requires an attacker to already have admin-level access to the Apex One server, once abused it can significantly streamline lateral movement and persistence within enterprise environments.
Wave of Exploited Vulnerabilities Highlights Expanding Attack Surface
The Langflow vulnerability and Trend Micro Apex One vulnerability do not exist in isolation. They join a growing list of exploited vulnerabilities across widely deployed security and infrastructure products, including Microsoft Defender, legacy Microsoft components, and Adobe software. Recent disclosures revealed that Microsoft Defender harbors a privilege escalation flaw, CVE-2026-41091, and a denial-of-service issue, CVE-2026-45498, both under active exploitation and now also cataloged by CISA. Alongside previously weaponized bugs in products such as Exchange Server, these cases demonstrate that threat actors are increasingly targeting core security and management layers rather than only edge services. Agencies and enterprises must therefore treat the CISA KEV catalog as a prioritized action list, ensuring that remote code execution, SQL injection, privilege escalation, and other high-impact paths are systematically closed before attackers can chain them into full environment compromise.
Action Steps for Agencies Ahead of the June 4 Patch Cutoff
With the June 4, 2026 federal patch deadline approaching, agencies should immediately inventory where Langflow and Trend Micro Apex One are deployed, focusing on internet-exposed instances and central management servers. For Langflow, apply vendor patches or mitigation guidance, then rotate all access tokens and API keys stored in affected workspaces to prevent downstream abuse. For Apex One, prioritize updates on on-premise servers and review administrative access controls and audit logs for signs of suspicious configuration changes or code deployment activity. In parallel, agencies should validate that Microsoft Defender and other security tools are updated to the latest platform and engine versions, ensuring that exploited vulnerabilities cataloged by CISA are already addressed. Finally, organizations should embed the CISA KEV catalog into their continuous vulnerability management process, treating KEV-listed flaws as top-tier remediation items with tracked deadlines and executive oversight.