Skip to content
.ca
sign in
2 minhigh

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security Trivy, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to cyberattacks.

Sens:ImmediateConf:highAnalyzed:2026-03-26reports

Authors: CISA

CVE-2026-33634KEV CatalogCISA AlertAqua Security Trivy

Source:CISA

Key Takeaways

  • CISA added CVE-2026-33634 to the Known Exploited Vulnerabilities (KEV) Catalog.
  • The vulnerability affects Aqua Security Trivy and involves embedded malicious code.
  • There is confirmed evidence of active exploitation in the wild.
  • Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability per BOD 22-01.

Affected Systems

  • Aqua Security Trivy

Vulnerabilities (CVEs)

  • CVE-2026-33634

Attack Chain

Threat actors are actively exploiting CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security Trivy. Specific details regarding the attack chain, payload delivery, or post-exploitation activities are not provided in the alert.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No detection rules or queries are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Low — The alert does not provide technical details, behavioral indicators, or IOCs to guide EDR detection. Network Visibility: Low — No network indicators or traffic patterns associated with the exploitation are described. Detection Difficulty: Hard — Without specific IOCs or behavioral descriptions of the exploit, detection relies entirely on vulnerability scanning and software inventory rather than active threat hunting.

Required Log Sources

  • Vulnerability Management Scans
  • Software Inventory Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Identify instances of Aqua Security Trivy in the environment to determine vulnerability exposure.Software inventory, Container scanning logsInitial AccessLow

Control Gaps

  • Lack of automated vulnerability patching and software inventory tracking

Key Behavioral Indicators

  • Presence of vulnerable Aqua Security Trivy versions in the environment

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and patch all instances of Aqua Security Trivy affected by CVE-2026-33634 immediately.

Infrastructure Hardening

  • Integrate CISA KEV catalog checks into automated vulnerability management and CI/CD pipelines.

User Protection

  • N/A

Security Awareness

  • Ensure vulnerability management teams are aware of BOD 22-01 requirements and prioritize KEV catalog items for remediation.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1195.002 - Compromise Software Supply Chain

Related