La Agencia de Seguridad de Infraestructura y Ciberseguridad de EE. UU. (CISA) el miércoles agregado una falla de seguridad crítica que afecta a n8n a sus vulnerabilidades explotadas conocidas (KEV) catálogo, basado en evidencia de explotación activa.
La vulnerabilidad, rastreada como CVE-2025-68613 (Puntuación CVSS: 9,9), se refiere a un caso de inyección de expresión que conduce a la ejecución remota de código. n8n solucionó la deficiencia de seguridad en diciembre de 2025 en las versiones 1.120.4, 1.121.1 y 1.122.0. CVE-2025-68613 es la primera vulnerabilidad n8n que se incluye en el catálogo KEV.
«N8n contiene un control inadecuado de la vulnerabilidad de los recursos de código administrados dinámicamente en su sistema de evaluación de expresiones de flujo de trabajo que permite la ejecución remota de código», dijo CISA.
Según los mantenedores de la plataforma de automatización del flujo de trabajo, un atacante autenticado podría aprovechar la vulnerabilidad para ejecutar código arbitrario con los privilegios del proceso n8n.
La explotación exitosa de la falla podría resultar en un compromiso total de la instancia, lo que permitiría al atacante acceder a datos confidenciales, modificar flujos de trabajo o ejecutar operaciones a nivel de sistema.
Actualmente no hay detalles sobre cómo se está explotando la vulnerabilidad en la naturaleza. Datos de la Fundación Shadowserver muestra que hay más de 24.700 casos sin parches expuestos en línea, más de 12.300 de ellos ubicados en América del Norte y 7.800 en Europa a principios de febrero de 2026.
La adición de CVE-2025-68613 se produce cuando Pillar Security reveló dos fallas críticas en n8n, una de las cuales, CVE-2026-27577 (puntaje CVSS: 9.4), se clasificó como «exploits adicionales» descubiertos en el sistema de evaluación de expresiones de flujo de trabajo después de CVE-2025-68613.
Se ordenó a las agencias del Poder Ejecutivo Civil Federal (FCEB) que parchearan sus instancias n8n antes del 25 de marzo de 2026, según lo dispuesto por una Directiva Operativa Vinculante (BOD 22-01) emitida en noviembre de 2021.
La Agencia de Seguridad de Infraestructura y Ciberseguridad de EE. UU. (CISA) el lunes agregado tres fallas de seguridad en sus vulnerabilidades explotadas conocidas (KEV) catálogo, basado en evidencia de explotación activa.
La lista de vulnerabilidades es la siguiente:
CVE-2021-22054 (Puntuación CVSS: 7,5) – Una falsificación de solicitud del lado del servidor (SSRF) vulnerabilidad en Omnissa Workspace One UEM (anteriormente VMware Workspace One UEM) que podría permitir que un actor malicioso con acceso de red a UEM enviar solicitudes sin autenticación y obtener acceso a información sensible.
CVE-2025-26399 (Puntuación CVSS: 9,8): una vulnerabilidad de deserialización de datos no confiables en el componente AjaxProxy de SolarWinds Web Help Desk que podría permitir a un atacante ejecutar comandos en la máquina host.
CVE-2026-1603 (Puntuación CVSS: 8,6): una omisión de autenticación que utiliza una ruta alternativa o una vulnerabilidad de canal en Ivanti Endpoint Manager que podría permitir que un atacante remoto no autenticado filtre datos de credenciales almacenados específicos.
La adición de CVE-2025-26399 se produce a raíz de informes de Microsoft y Huntress de que los actores de amenazas están explotando fallas de seguridad en SolarWinds Web Help Desk para obtener acceso inicial. Se cree que la actividad es obra del equipo de ransomware Warlock.
CVE-2021-22054, por otro lado, fue señalado por GreyNoise en marzo de 2025 como explotado junto con varias otras vulnerabilidades de la SSRF en otros productos como parte de una campaña coordinada.
Actualmente no hay detalles sobre cómo se está utilizando CVE-2026-1603 como arma en la naturaleza. Al momento de escribir este artículo, Ivanti boletín de seguridad no se ha actualizado para reflejar el estado de explotación.
Para contrarrestar el riesgo que representan las amenazas activas, se ordenó a las agencias del Poder Ejecutivo Civil Federal (FCEB) que apliquen la solución para la mesa de ayuda web de SolarWinds antes del 12 de marzo de 2026 y las dos restantes antes del 23 de marzo de 2026.
«Este tipo de vulnerabilidades son vectores de ataque frecuentes para actores cibernéticos maliciosos y plantean riesgos significativos para la empresa federal», dijo CISA.
La Agencia de Seguridad de Infraestructura y Ciberseguridad de EE. UU. (CISA) el jueves agregado dos fallas de seguridad que afectan los productos de Hikvision y Rockwell Automation a sus vulnerabilidades explotadas conocidas (KEV) catálogo, citando evidencia de explotación activa.
Las vulnerabilidades de gravedad crítica se enumeran a continuación:
CVE-2017-7921 (Puntuación CVSS: 9,8): una vulnerabilidad de autenticación inadecuada que afecta a múltiples productos Hikvision y que podría permitir a un usuario malintencionado escalar privilegios en el sistema y obtener acceso a información confidencial.
CVE-2021-22681 (Puntuación CVSS: 9,8): una vulnerabilidad de credenciales insuficientemente protegidas que afecta a múltiples controladores Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000 y Logix que podría permitir que un usuario no autorizado con acceso a la red del controlador omita el mecanismo de verificación y se autentique con él, así como también altere su configuración y/o código de aplicación.
La incorporación de CVE-2017-7921 al catálogo KEV se produce más de cuatro meses después de que SANS Internet Storm Center revelara que había detectado intentos de explotación contra cámaras Hikvision susceptibles a la falla. Sin embargo, no parece haber ningún informe público que describa los ataques que involucren a CVE-2021-22681.
A la luz de la explotación activa, se recomienda a las agencias del Poder Ejecutivo Civil Federal (FCEB) actualizar a las últimas versiones de software compatibles antes del 26 de marzo de 2026, como parte de Directiva operativa vinculante (DBO) 22-01.
«Este tipo de vulnerabilidades son vectores de ataque frecuentes para actores cibernéticos maliciosos y plantean riesgos significativos para la empresa federal», dijo CISA.
«Aunque BOD 22-01 solo se aplica a las agencias FCEB, CISA insta encarecidamente a todas las organizaciones a reducir su exposición a ataques cibernéticos priorizando la remediación oportuna de las vulnerabilidades del Catálogo KEV como parte de su práctica de gestión de vulnerabilidades».
La Agencia de Seguridad de Infraestructura y Ciberseguridad de EE. UU. (CISA) el martes agregado una falla de seguridad recientemente revelada que afecta las operaciones de Broadcom VMware Aria a sus vulnerabilidades explotadas conocidas (KEV) catálogo, citando explotación activa en la naturaleza.
La vulnerabilidad de alta gravedad, CVE-2026-22719 (Puntuación CVSS: 8,1), se ha descrito como un caso de inyección de comandos que podría permitir que un atacante no autenticado ejecute comandos arbitrarios.
«Un actor malicioso no autenticado puede aprovechar este problema para ejecutar comandos arbitrarios, lo que puede llevar a la ejecución remota de código en VMware Aria Operations mientras se realiza la migración de productos asistida por soporte», dijo la compañía. dicho en un aviso publicado a finales del mes pasado.
La deficiencia se solucionó, junto con CVE-2026-22720, una vulnerabilidad de secuencias de comandos entre sitios almacenados, y CVE-2026-22721, una vulnerabilidad de escalada de privilegios que podría resultar en acceso administrativo. Afecta a los siguientes productos:
VMware Cloud Foundation y VMware vSphere Foundation 9.xxx: corregido en 9.0.2.0
Operaciones de VMware Aria 8.x: corregido en 8.18.6
Los clientes que no puedan aplicar el parche inmediatamente pueden descargar y ejecutar un script de shell («aria-ops-rce-workaround.sh») como raíz de cada nodo del dispositivo virtual de operaciones Aria.
Actualmente no hay detalles sobre cómo se está explotando la vulnerabilidad en la naturaleza, quién está detrás de ella y la escala de dichos esfuerzos.
«Broadcom está al tanto de los informes sobre una posible explotación de CVE-2026-22719 en estado salvaje, pero no podemos confirmar de forma independiente su validez», señaló la compañía en una actualización de su boletín.
A la luz de la explotación activa, las agencias del Poder Ejecutivo Civil Federal (FCEB) deben aplicar las correcciones antes del 24 de marzo de 2026.
El director de información de la Agencia de Seguridad de Infraestructura y Ciberseguridad anunció su salida el martes, poniendo fin a su mandato de casi cinco años en CISA.
Robert Costello, un veterano de 18 años en el Departamento de Seguridad Nacional, publicado sobre la mudanza en LinkedIn.
«Servir como CIO en CISA ha sido uno de los mayores privilegios de mi carrera», afirmó. «Juntos, fortalecimos nuestra postura de ciberseguridad, modernizamos los sistemas críticos y creamos capacidades que perdurarán. Estoy increíblemente orgulloso de lo que logramos como equipo».
El mandato de Costello se había vuelto turbulento recientemente, con versiones contradictorias sobre si el ya fallecido director interino de CISA, Madhu Gottumukkala, había intentado obligarlo a salir. Costello recibió la semana pasada órdenes de transferencia para una posible reasignación a otra agencia.
Costello tenía partidarios en el Congreso y en otros lugares, como el presidente de Seguridad Nacional de la Cámara de Representantes, Andrew Garbarino, RN.Y., diciendo tan recientemente como el mes pasado que era bueno que un intento anterior de sacar a Costello del puesto de CIO de CISA hubiera fracasado.
Como CIO de la agencia, Costello abogó por la tecnología de primer nivel como bendición de reclutamiento. Ha estado involucrado en esfuerzos para responder a las vulnerabilidades dentro de CISA. A veces ha actuado como rostro público de la agencia en eventos, ha promocionado nuevas herramientas diseñado para mejorar los servicios de CISA y ha abogado por mayor uso de la inteligencia artificial en su papel.
“A lo largo de mi carrera en CISA, Aduanas y Protección Fronteriza de EE. UU., Servicio de Inmigración y Control de Aduanas (ICE) de EE. UU. y en la Fuerza Aérea de los Estados Unidos, me ha guiado el compromiso de proteger nuestra nación y promover el bien común”, dijo Costello. «Ha sido el honor de mi vida servir junto a servidores públicos cuya integridad y profesionalismo marcan la pauta».
Costello no indicó sus planes futuros más allá de dejar el gobierno federal y un “compromiso de servicio y con esta nación”.
La medida de Costello no es la única reorganización reciente en la agencia. CISA recientemente consiguió un nuevo director interino, Nick Andersen, para reemplazar a Gottumukkala después de que el ex director interino se fuera a un puesto en la sede del DHS, mientras la nominación de Sean Plankey para dirigir CISA continúa estancada. Según se informa, el director interino de recursos humanos, Kevin Diana, también órdenes de transferencia recibidas.
Madhu Gottumukkala dejó el cargo de director interino de la Agencia de Seguridad de Infraestructura y Ciberseguridad, y el actual director ejecutivo de ciberseguridad de la agencia, Nick Andersen, lo reemplazó como líder interino.
La noticia de la salida de Gottumukkala llega un día después de que CyberScoop informara sobre la consternación generalizada por el desempeño de la agencia durante el primer año de la administración Trump, con importantes críticas dirigidas al liderazgo de Gottumukkala en ambos lados del pasillo después de una serie de historias poco halagadoras sobre su gestión.
“Madhu Gottumukkala ha hecho un trabajo extraordinario en la ingrata tarea de ayudar a reformar la CISA para que vuelva a su misión estatutaria central”, dijo a CyberScoop el jueves un funcionario del Departamento de Seguridad Nacional. “Abordó la burocracia despierta, armada e inflada que existía en CISA, negociando contratos para ahorrar dólares de los contribuyentes estadounidenses”.
Gottumukkala, se desempeñó como director de información bajo la entonces gobernadora de Dakota del Sur, Kristi Noem, ahora secretaria del DHS, antes de ser elegido subdirector de la agencia. La nominación de Sean Plankey para desempeñarse como director a tiempo completo de CISA se ha estancado, dejando a Gottumukkala como director interino en su lugar.
Gottumukkala asumirá un nuevo rol en el DHS, como director de implementación estratégica. Andersen ha obtenido críticas más favorables de la industria y los profesionales cibernéticos durante su mandato en CISA que Gottumukkala, a quien algunos todavía elogian por su perspicacia técnica.
ABC Noticias reportado por primera vez las noticias sobre los movimientos de Gottumukkala y Andersen. La noticia llega el mismo día que se informa sobre otro cambio de liderazgo en la agencia, con Cybersecurity Dive. primer informe sobre la salida de Robert Costello como CIO de CISA.
Si bien algunos funcionarios con los que CyberScoop habló esta semana para su artículo sobre CISA creían que la agencia tenía cierta duplicación, la mayoría pensó que la administración Trump había hecho recortes mucho más profundos de lo necesario, dañando a la agencia.
Andersen ha ocupado varios puestos en TI y ciberseguridad en el sector público durante las últimas dos décadas, incluidos puestos en la Guardia Costera, la Marina y el Departamento de Energía.
“It’s really hard to find something positive to say right now.”
It’s been a little more than one year into the second Trump administration, and there’s a large consensus, if not total unanimity, among those who have worked with and for the Cybersecurity and Infrastructure Security Agency: It has suffered significantly during that time.
CISA has lost roughly a third of its personnel and shuttered entire divisions. Observers across the political spectrum told CyberScoop for this story that even on its core missions, like coordinating with industry and protecting federal networks, the agency is significantly diminished.
Many sources that spoke with CyberScoop did so under the condition of anonymity, in order to be more candid or avoid retribution. They told CyberScoop that CISA’s biggest problems, and their consequences, include:
Trump’s ire over the 2020 election results has led to the agency being deprioritized within the administration. Congress has yet to approve the administration’s permanent pick to lead the agency, Sean Plankey, and lawmakers have failed to do other things to strengthen it.
CISA’s capabilities have been significantly diminished by the loss of personnel, expertise and programs.
In the absence of a permanent leader, Acting Director Madhu Gottumukkala has struggled to lead the agency. “I don’t think anybody would argue he’s doing a great job,” one industry source said.
Organizations that previously turned to CISA for help now seek alternatives, like industry alliances, outside consultants or government-to-government partnerships.
Where to assign blame varied from source to source. Most criticized both the administration and Congress, though some faulted one more than the other.
Some see bright sports in CISA under the current administration. And while many are pessimistic about the agency’s future, others expressed optimism.
But the first year reviews are not glowing.
“Year one was a tough year for the agency,” said House Homeland Security Committee Chairman Andrew Garbarino, R-N.Y. He noted that a “lot of the best and brightest have left the agency,” though he expressed optimism about Plankey’s ability to turn CISA around. “The amount of cyberattacks that our nation is seeing every day, both on the private side and on the federal government side — you want your best people there fighting against it, and if they’re somewhere else, it definitely leaves us all vulnerable.”
Said Mississippi Rep. Bennie Thompson, the top Democrat on Garbarino’s panel: “It’s tough to have a robust entity when you cut the money…we are weaker because of CISA’s lack of manpower.”
When priorities shifted
Trump has harbored animosity toward CISA since 2020, when it contradicted his false claims related to widespread electoral fraud. He and his allies built on that animosity, recommending in Project 2025 that the agency be dismantled, divided by its core responsibilities, and farmed out to other federal agencies.
“There was uniquely a target on its back,” said one CISA official who left in 2025. That hostility came from some Republicans in Congress, especially Kentucky Sen. Rand Paul, who chairs the Senate Homeland Security and Governmental Affairs Committee.
Said Thompson: “CISA wasn’t politicized for the most part, until the Trump administration came along and accused them of somehow contributing to his [election] loss.”
CISA has lost substantial personnel, including veterans and whole teams. Some employees were transferred to other divisions in the Department of Homeland Security. Election security was quickly cut. Two information sharing and analysis centers (ISACs) that serve state and local governments lost funding. A division coordinating with foreign governments, businesses and state and local governments was effectively closed.
The agency has lost senior leaders in programs like counter-ransomware initiatives, threat hunting and secure software development. Contracts for things like detecting threats in critical infrastructure networks, tracking vulnerabilities and collaborating with industry teetered, albeit sometimes only temporarily.
DHS has unraveled multiple programs in which CISA plays a key role, such as by dismissing members of the Cyber Safety Review Board and disbanding the Critical Infrastructure Partnership Advisory Council. Congress has lurched between letting both a key state and local cyber grant program and a cyber threat information sharing law lapse and temporarily re-upping them.
The departures and program changes likely haven’t ended, either.
“It’s not a very harmonious place right now,” said one industry source. “I hear from people that are looking to leave.” Former CISA employees say those who remain either believe strongly in the mission, or are simply keeping their heads down until retirement from federal service.
“People I talk to say the morale is really low,” said James Lewis, distinguished fellow with the tech policy program at the Center for European Policy Analysis think tank.
CISA and DHS officials routinely say the changes are designed to get the agency “back on mission.” Lewis, industry officials and others say CISA probably never needed to get involved in combatting misinformation and disinformation, roles that rankled some conservatives, but the agency largely halted that work prior to Trump returning to office.
Some saw duplication and redundancy at CISA as legitimate problems. “I did see overlap between who was actually doing policy and who was actually doing the operational work,” said Ari Schwartz, managing director of cybersecurity services at the law firm Venable and a former Obama administration cybersecurity official.
It was not that long ago when CISA experienced quick budget growth, particularly after its establishment in 2018.
“As with any organization, the first few years are growth years and after a while, the agency needed to reevaluate how it was operating and meeting its statutory authorities,” said Kate DiEmidio, who formerly served as the agency’s director of legislative affairs and acting chief external affairs officer. “There was a need for the agency to refocus.”
Even among those who saw the need for change at CISA, though, many saw the Trump administration as going way too far. “CISA needed surgery,” Lewis said, but “what it needed was surgery with a scalpel, not a sledgehammer.” He added, “Not only is the White House hostile to CISA, but cybersecurity isn’t a priority for them.”
A question of capacity
The cuts have created real-world consequences for cybersecurity coordination. Former officials and industry partners describe broken relationships, unanswered requests for help and serious questions about whether CISA can handle a major crisis. The coordination and engagement that defined the agency’s approach have largely diminished.
The end result is that “they’ve dismantled all of those capabilities in units within government,” said Caitlin Durkovich, a former DHS official in the Obama administration and White House official in the Biden administration. She recently started a firm with former top CISA official Jeff Greene that offers services CISA has scaled back, such as security assessments.
“It’s been really hard to watch,” Greene said, how CISA has been working with the private sector and local governments on “developing a level of trust that is weakening or gone.”
One industry source said they used to meet regularly with top officials, but now can’t get a response. “We’ve got really good engagement elsewhere in government. We really would like the opportunity to do the same thing with CISA,” they said. ““Some of the trust that had been built up has been eroded.”
Thompson said the biggest losses have been in election security and secure-by-design, areas where his staff says personnel has been “decimated.”
Said another industry source: “I do feel like that when people, if organizations, want to reach out to CISA, it’s not clear who’s there… If we got into a major conflict, let’s say, with China, and they start triggering Volt Typhoon-related malware, are we organized and ready to roll? I don’t think so.”
Another former CISA official described the current situation as a “lack of capacity,” especially when it comes to coordinating with state and local governments and others on a regional basis.
“A bunch of regions are really grappling with the loss of really key personnel who were the ones that were establishing and maintaining these relationships, and really trying to build the trust between the agency and the private sector, and especially in critical infrastructure,” they said. “Not having as many people to help do that national coordinating function that CISA is supposed to do is a real issue.”
They also said there are fewer people working in “flagship programs” like secure-by-design and developing regulations for the landmark Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). “People are overstretched,” they said. “They’re not doing all the things that they could or should be doing, or want to be doing, and I think that you see evidence of that with talk from the private sector and their inability to to reach people and to get help “
Schwartz said he worries about when “an incident happens, do they have the people to go in, go to the states, go locally, and really do the work that’s needed, as they did in the past? Because they’ve lost some of that ability.”
Lewis said that “overall, the impression is it’s a much weaker entity than it was a year ago.”
“Their power was in their ability to act as a focal point, to coordinate, to bring people together, and just the publication of vulnerabilities and some of the things they were starting to get into in the previous administration were big steps forward that’s been diminished because they don’t have the people now,” he said. “So a smaller organization, that’s just not going to be as powerful.”
State and local governments say they’ve lost critical connections with CISA, saying they’ve had to turn to one another to fill the gaps.
“We’re asking states to do a job they’re not resourced to do, while weakening the one federal agency designed to help them,” said Errol Weiss, chief security officer at the Health-ISAC. “This is precisely where you do need a strong, centralized federal security function. We already have a national shortage of cybersecurity experts, and you can’t just replicate that expertise 50 times over.”
Overall, Weiss said industry partners have felt the lack of outreach from the agency. “Fewer touchpoints, fewer briefings, fewer problem‑solving calls,” he told CyberScoop, adding that there’s “a growing perception that CISA is being hollowed out where it matters most to industry: stakeholder engagement, collaborative forums, and operational support during incidents.”
Rob Knake, a former top Biden administration official, recently said that “CISA as an organization has pretty much fallen apart.”
Leadership in limbo
One near-universal sentiment is that as Sean Plankey’s leadership nomination drags in the Senate, the agency is worse off.
“We need to start this year off right, and we’re already in February and can’t get Plankey confirmed,” Garbarino said. “There’s nothing better than having a Senate-confirmed person running the show.”
The acting director has also faced criticism beyond the operational issues. Gottumukkala, who served as South Dakota’s chief information officer under Kristi Noem before she became DHS secretary, has faced fire from both parties for his stewardship.
A string of embarrassing stories have emerged about Gottumukkala, from the tale of him failing a polygraph test and seeking to oust those who administered it; to his reported attempted ouster of veteran agency CIO Robert Costello; to his reported uploading of sensitive contract data to ChatGPT. DHS has defended Gottumukkala amid those revelations.
Reading stories like that, “It just sounds like amateur hour,” said one former CISA employee.
“I don’t think he’s up to the task. I believe that he’s not the best person, and I think he is just somebody the secretary likes, because they both are from South Dakota.” Thompson said. “I don’t know anybody before this administration who would be in sensitive areas and not have passed minimal standards like the polygraph.”
The ChatGPT story drew concern from the right by Senate Judiciary Chairman Chuck Grassley, R-Iowa, as well as from conservative figure Laura Loomer (the latter of whose remarks were racially tinged). Others were more perturbed by the lie detector story.
“When you have security issues with someone in a leadership position, you should find another place for them to go,” said a former Trump administration national security official. “There are plenty of competent people in DHS, in CISA, who could hold things together until Sean Plankey gets there. There are lots of serious things CISA needs to be working on right now. This is a drag on that. It’s not a place where you want any type of friction at the top.”
Garbarino was more generous, noting Gottumukkala’s technical background. DiEmidio also noted Gottumukkala’s technical skills. But Garbarino and Nevada Rep. Mark Amodei, the GOP chairman of the House Appropriations Subcommittee on Homeland Security, have been seeking CISA’s organizational plans to no avail.
“I don’t think he’s intentionally lying to us by saying there’s no reorg plan,” Garbarino said. “But there’s got to be some reasoning behind all these moves, moving the people around, or layoffs or whatever. I want to give him the benefit of the doubt that he is the technical guy that has been given a non-technical job to do.”
Schwartz and some others largely blame Congress for CISA’s current woes, since they haven’t approved Plankey as a full-time, permanent leader. “A lot of the issue is the fact that just doesn’t have the leadership to be able to participate in senior-level discussions,” he said.
What’s left to build on
Despite myriad complaints, many observers still see value in the current iteration of CISA. Some are hopeful about its ability to rebound, too.
CISA says it’s still devoted to its missions. The agency published a 2025 year-in-review about its accomplishments.
“CISA remains steadfast in its mission to safeguard the systems Americans rely on by strengthening federal network defenses, empowering businesses, and fortifying critical infrastructure nationwide,” Gottumukkala said in a statement to CyberScoop.
Moving forward, “we will deepen collaboration with trusted partners, prioritize highly skilled technical professionals, and direct resources for maximum impact—accelerating innovation, operational coordination, and workforce right-sizing to reduce long-term risks while maintaining strong industry partnerships and cost efficiency,” he said. “The CISA leadership and workforce remains committed to this mission despite a small minority who are upset that accountability and reform have come to the agency.”
It’s a message Gottumukkala recently delivered to Congress. “He tried to give the impression that we haven’t lost any capacity,” Thompson said. “I wasn’t impressed.”
Others said CISA is still carrying out many of its old tasks, such as issuing public alerts on vulnerabilities and threats.
“There’s still some good reporting coming out,” Greene said. “But what I can’t know is the volume of what they can put out versus what they used to be able to put out.”
Weiss said “CISA still has tremendous value in areas only the federal government can truly provide: national‑level visibility, cross‑sector coordination and the ability to marshal resources across agencies in a crisis.” But it’s not clear whether CISA can rise to the occasion like it did during the 2024 Change Healthcare crisis.
“All of this means it’s more important than ever for the private sector to take the initiative,” he said. “Critical infrastructure owners and operators cannot assume the federal government will have the capacity to step in the way it once did.”
Weiss and others also said that CISA has refocused on federal networks, but others, such as Lewis, said it’s also diminished there. “That’s their primary mission, and they don’t have the policies or the bodies to do that,” Lewis said.
Garbarino and a number of industry sources say they’re encouraged by the idea that the Trump administration could write less onerous regulations for CIRCIA, with an earlier draft drawing bipartisan and industry criticism.
A Senate-confirmed leader could further brighten the agency’s prospects, many agree. “They still have some good talent there. It’s not totally that we’ve lost everything there,” Schwartz said. “If you have leadership in there, then you can build it up.”
DiEmidio said some of the staff changes have made sense. Election security had more people than other sectors that needed the help, she said.
“In some ways, I think the external attention to CISA’s mission in the media and with Congress was completely focused on one or two things, and the focus on the things that really matter, and the good work that CISA is doing got overshadowed,” she said. For the agency’s cybersecurity division and other cyber teams, “there were several incidents over the summer where those teams were incredible. They were working evenings, weekends.”
But many agree that rebuilding CISA’s workforce will be difficult.
The Trump administration has deliberately made working for the federal government challenging as a matter of policy. Russell Vought, head of the Office of Management and Budget, said before the election that the goal was to put federal workers “in trauma.” Morale at CISA has been particularly bad, they say. Periodic DHS shutdowns haven’t helped.
Some of what CISA needs to do going forward is about managing expectations, said DiEmidio.
“What I would want to make sure is that CISA has a hiring plan in place to start hiring, especially in those key technical positions at all levels,” she said. “ I think you have to have an understanding that people are going to rotate in and out of government. Not everyone wants to stay in government long term and that’s okay.”
But there are some worries about CISA recruiting going forward. “Just the way they handle the departures, for a lot of folks, I don’t think it gives a lot of encouragement to individuals that ‘Hey, this is a great place to work,’” said one former DHS official.
La Agencia de Seguridad de Infraestructura y Ciberseguridad de EE. UU. (CISA) el martes agregado cuatro fallas de seguridad en sus vulnerabilidades explotadas conocidas (KEV) catálogo, citando evidencia de explotación activa en la naturaleza.
La lista de vulnerabilidades es la siguiente:
CVE-2026-2441 (Puntuación CVSS: 8,8): una vulnerabilidad de uso después de la liberación en Google Chrome que podría permitir a un atacante remoto explotar potencialmente la corrupción del montón a través de una página HTML diseñada.
CVE-2024-7694 (Puntuación CVSS: 7,2) – Un vulnerabilidad de carga de archivos arbitrarios en TeamT5 ThreatSonar Anti-Ransomware versiones 3.4.5 y anteriores que podrían permitir a un atacante cargar archivos maliciosos y lograr la ejecución arbitraria de comandos del sistema en el servidor.
CVE-2020-7796 (Puntuación CVSS: 9,8): una vulnerabilidad de falsificación de solicitudes del lado del servidor (SSRF) en Synacor Zimbra Collaboration Suite (ZCS) que podría permitir a un atacante enviar una solicitud HTTP diseñada a un host remoto y obtener acceso no autorizado a información confidencial.
CVE-2008-0015 (Puntuación CVSS: 8,8): una vulnerabilidad de desbordamiento de búfer basada en pila en el control ActiveX de vídeo de Microsoft Windows que podría permitir a un atacante lograr la ejecución remota de código mediante la configuración de una página web especialmente diseñada.
La adición de CVE-2026-2441 al catálogo KEV se produce días después de que Google reconociera que «existe un exploit para CVE-2026-2441 en la naturaleza». Actualmente no se sabe cómo se está utilizando la vulnerabilidad como arma, pero dicha información generalmente se retiene hasta que la mayoría de los usuarios se actualizan con una solución para evitar que otros actores de amenazas se unan al tren de la explotación.
En cuanto a CVE-2020-7796, un informe publicado por la firma de inteligencia sobre amenazas GreyNoise en marzo de 2025 reveló que un grupo de aproximadamente 400 direcciones IP estaba explotando activamente múltiples vulnerabilidades SSRF, incluida CVE-2020-7796, para atacar instancias susceptibles en EE. UU., Alemania, Singapur, India, Lituania y Japón.
«Cuando un usuario visita una página web que contiene un exploit detectado como Exploit:JS/CVE-2008-0015, puede conectarse a un servidor remoto y descargar otro malware», Microsoft notas en su enciclopedia de amenazas. También dijo que tiene conocimiento de casos en los que el exploit se utiliza para descargar y ejecutar perroun gusano que se propaga a través de unidades extraíbles.
El gusano viene con capacidades para recuperar y ejecutar binarios adicionales, sobrescribir ciertos archivos del sistema, finalizar una larga lista de procesos relacionados con la seguridad e incluso reemplazar el archivo Hosts de Windows en un intento de evitar que los usuarios accedan a sitios web asociados con programas de seguridad.
Actualmente no está claro cómo se explota la vulnerabilidad TeamT5 ThreatSonar Anti-Ransomware. Se recomienda a las agencias del Poder Ejecutivo Civil Federal (FCEB) que apliquen las correcciones necesarias antes del 10 de marzo de 2026 para una protección óptima.
Actualizar
en un publicación de seguimiento Publicado el 22 de febrero de 2026, TeamT5 dijo que la vulnerabilidad se relaciona con un problema identificado en 2024 y que desde entonces todos los clientes afectados han migrado desde versiones vulnerables de su producto ThreatSonar Anti-Ransomware.
La compañía de seguridad taiwanesa dijo que desde entonces ha mejorado su ciclo de vida de desarrollo de software seguro y sus controles de seguridad de productos, así como procesos estandarizados de respuesta a incidentes internos y gestión de vulnerabilidades.
(La historia se actualizó después de la publicación para incluir detalles de TeamT5).
