Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2026-2441 (CVSS score: 8.8) - A use-after-free vulnerability in Google Chrome that could allow a remote attacker to potentially exploit heap
Analysis Summary
# Vulnerability: CISA Adds Four Actively Exploited Flaws to KEV Catalog (Feb 2026)
## CVE Details
* **CVE ID:** CVE-2026-2441, CVE-2024-7694, CVE-2020-7796, CVE-2008-0015
* **CVSS Score:** Range from 7.2 to 9.8 (High to Critical)
* **CWE:** Use-after-free, Arbitrary File Upload, SSRF, Stack-based Buffer Overflow
## Affected Systems
* **Products:**
* Google Chrome
* TeamT5 ThreatSonar Anti-Ransomware
* Synacor Zimbra Collaboration Suite (ZCS)
* Microsoft Windows (ActiveX Control)
* **Versions:**
* **TeamT5:** Versions 3.4.5 and earlier.
* **Zimbra:** Noted for SSRF vulnerabilities (CVE-2020-7796).
* **Windows:** Legacy systems using Windows Video ActiveX Control.
* **Configurations:** Systems accessing malicious web content or hosting vulnerable web-facing management dashboards.
## Vulnerability Description
* **CVE-2026-2441:** A use-after-free flaw in Google Chrome's heap memory management. An attacker can trigger heap corruption by tricking a user into visiting a specially crafted HTML page.
* **CVE-2024-7694:** An arbitrary file upload vulnerability in TeamT5. Unauthorized users can upload files to the server, leading to remote command execution.
* **CVE-2020-7796:** A Server-Side Request Forgery (SSRF) in Zimbra. Attackers can force the server to send HTTP requests to internal or external hosts to bypass authentication and steal sensitive data.
* **CVE-2008-0015:** A legacy stack-based buffer overflow in the Windows Video ActiveX Control. It allows Remote Code Execution (RCE) via malicious web content.
## Exploitation
* **Status:** **Exploited in the wild** (All four added to CISA KEV).
* **Complexity:** Low to Medium.
* **Attack Vector:** Network (Remote).
## Impact
* **Confidentiality:** High (Unauthorized access to data via SSRF and RCE).
* **Integrity:** High (Arbitrary command execution; file overwrites by malware like Dogkild).
* **Availability:** High (Potential system takeover and security process termination).
## Remediation
### Patches
* **Google Chrome:** Users should update to the latest version immediately to patch CVE-2026-2441.
* **TeamT5:** Upgrade ThreatSonar Anti-Ransomware to versions newer than 3.4.5.
* **Zimbra:** Apply the latest security updates provided by Synacor for ZCS.
* **Microsoft:** Ensure legacy systems are decommissioned or fully patched against the 2008 vulnerability.
### Workarounds
* Disable ActiveX controls in legacy Windows environments where possible.
* Restrict outbound network access from Zimbra servers to prevent SSRF exploitation.
* Implement strict file extension filtering and scanning for management consoles.
## Detection
* **Indicators of Compromise:**
* Exploitation of CVE-2008-0015 often leads to the deployment of **Dogkild** malware (Worm:Win32/Dogkild.A).
* Monitor for unauthorized IP addresses (over 400 identified by GreyNoise) targeting Zimbra instances.
* **Detection methods and tools:**
* CISA KEV scanning tools.
* EDR/AV detection for `Exploit:JS/CVE-2008-0015` or `Exploit:HTML/CVE-2008-0015`.
* Web server log analysis for unusual `POST` requests to file upload endpoints.
## References
* CISA KEV Catalog: hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
* Google Chrome Security Update: hxxps[://]thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html
* GreyNoise SSRF Analysis: hxxps[://]thehackernews.com/2025/03/over-400-ips-exploiting-multiple-ssrf.html
* Microsoft Threat Encyclopedia: hxxps[://]www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:HTML/CVE-2008-0015