CISA added 14 confirmed exploited vulnerabilities to the KEV catalog between March 3–16, 2026, targeting Google Chrome/Chromium, Ivanti EPM, SolarWinds Web Help Desk, n8n workflow automation, Rockwell industrial controllers, Hikvision cameras, and Apple mobile/desktop products. The batch spans attack surfaces from enterprise IT to operational technology, with due dates as short as three days for the SolarWinds flaw. Federal agencies face mandatory remediation under BOD 22-01, and private organizations should treat this catalog update as a prioritized patch queue.
The March 2026 KEV batch reveals a deliberate expansion of attacker focus across the full enterprise stack. Two Google Chromium engine vulnerabilities — CVE-2026-3909 (Skia out-of-bounds write, CWE-787) and CVE-2026-3910 (V8 memory buffer mismanagement, CWE-119) — were added on March 13 with a two-week remediation window. Both affect Chrome, Edge, and Opera, meaning organizations running heterogeneous browser environments cannot patch one vendor and consider themselves covered. The Skia flaw enables out-of-bounds memory access via crafted HTML; the V8 flaw escalates to arbitrary code execution inside the sandbox. Together they represent a layered browser exploitation chain that threat actors can stage from a single malicious page. Security teams should verify browser auto-update policies are functioning and confirm ChromeOS and Android endpoints are in scope, since the Skia flaw explicitly affects those platforms.
Two vulnerabilities in enterprise management infrastructure stand out for their potential blast radius. CVE-2026-1603 in Ivanti Endpoint Manager (EPM) is an authentication bypass via alternate path (CWE-288) that exposes stored credential data to unauthenticated remote attackers — a scenario that historically precedes lateral movement and privilege escalation campaigns. CVE-2025-26399 in SolarWinds Web Help Desk is a deserialization of untrusted data flaw (CWE-502) in the AjaxProxy component that allows command execution on the host. CISA set SolarWinds’ due date to March 12, just three days after the March 9 addition, the shortest remediation window in this batch and a signal that exploitation was assessed as particularly urgent. Organizations running SolarWinds WHD that have not yet applied hotfix 12.8.7-hotfix-1 should treat this as an emergency action, not a patch cycle item.
The OT and IoT entries in this batch warrant separate attention from ICS-focused defenders. CVE-2021-22681 in Rockwell Automation Studio 5000 Logix Designer exposes a credential key that authenticates communication between design software and Logix controllers (CWE-522). An attacker with network access to the controller segment could connect unauthorized applications to PLC logic — a direct path to operational disruption. CVE-2017-7921 in Hikvision cameras is a 2017 improper authentication flaw (CWE-287) that enables privilege escalation and sensitive data access. The fact that a nine-year-old camera vulnerability required KEV addition in 2026 confirms these devices remain deployed and unpatched at scale. ICS/OT teams should audit network segmentation between corporate IT and OT zones, as these vulnerabilities are most dangerous when controllers and cameras are reachable from business networks.
The batch also includes notable legacy additions across Apple and Qualcomm. CVE-2021-30952 (Apple integer overflow, CWE-190) and CVE-2023-41974/CVE-2023-43000 (Apple use-after-free, CWE-416) span tvOS, macOS, iOS, iPadOS, watchOS, and Safari. The 2021 Apple flaw’s KEV addition in March 2026 is a significant gap — either it was recently observed in active exploitation campaigns or it was previously overlooked. CVE-2026-21385, a Qualcomm chipset memory corruption flaw (CWE-190) addressed in the March 2026 Android security bulletin, affects mobile endpoints at the firmware layer, where patch delivery depends entirely on device OEM and carrier update pipelines. Organizations managing large Android fleets should cross-reference Qualcomm’s affected chipset list against their mobile device inventory.
Two newer entries round out the batch. CVE-2025-68613 in n8n (CWE-913) exploits improper control of dynamically managed code in workflow expression evaluation, enabling remote code execution — a critical risk for organizations that have deployed n8n as part of automation or AI workflow infrastructure. CVE-2025-47813 in Wing FTP Server (CWE-209) leaks sensitive information via error messages triggered by a long UID cookie value, added March 16 with a two-week window. The Wing FTP entry is the most recent addition and may reflect an emerging campaign. The n8n and Wing FTP vulnerabilities together suggest threat actors are actively probing automation tooling and niche file transfer services that may receive less security scrutiny than mainstream enterprise software. One notable gap across the entire batch: CISA has marked ransomware campaign association as ‘Unknown’ for all 14 entries, meaning attribution and campaign context must be sourced from threat intelligence feeds outside the KEV catalog itself.
- Patch SolarWinds Web Help Desk immediately: CISA’s three-day due date (March 9 added, March 12 due) for CVE-2025-26399 signals active exploitation urgency — apply hotfix 12.8.7-hotfix-1 and review AjaxProxy exposure.
- Browser patching must cover all Chromium-based products: CVE-2026-3909 and CVE-2026-3910 affect Chrome, Edge, Opera, ChromeOS, Android, and Flutter — a single vendor patch leaves other surfaces exposed.
- ICS/OT network segmentation is non-negotiable: CVE-2021-22681 (Rockwell Logix) and CVE-2017-7921 (Hikvision) are exploitable only with network access — verify OT/IT segmentation controls are enforced and audit firewall rules blocking controller and camera access from corporate networks.
- Audit automation and file transfer tooling: CVE-2025-68613 (n8n RCE) and CVE-2025-47813 (Wing FTP info disclosure) target infrastructure that often bypasses standard vulnerability management scans — confirm these products appear in your asset inventory.
- Mobile fleet patch visibility requires OEM tracking: CVE-2026-21385 (Qualcomm memory corruption) patches through Android OEM and carrier pipelines — cross-reference affected Qualcomm chipsets against your mobile device inventory and push enrollment-enforced update policies.
