In this issue
-
FDA & US regulatory
Letters, guidance, enforcement
-
CISA KEV & CVEs
Vulnerabilities in your SBOM
-
Standards & international
AAMI, ISO, IEC, EU MDCG
-
What to do this week
Concrete actions for security leads
CISA has added twelve new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, primarily targeting Microsoft Windows kernels, legacy ActiveX components, and Apple mobile operating systems. These flaws are being actively used by attackers to achieve remote code execution and administrative privilege escalation on clinical workstations and mobile medical controllers.
The cybersecurity landscape for medical device manufacturers has seen a significant shift this week as several legacy and modern vulnerabilities entered the CISA KEV list. These additions signal that threat actors are successfully bypassing security barriers in common operating systems and middleware used across the healthcare ecosystem. For regulatory and security leads, these updates demand an immediate review of the Software Bill of Materials (SBOM) for both legacy and current product lines.
Of particular concern is the continued exploitation of older technologies, such as Windows ActiveX and legacy Apache ActiveMQ versions, which remain embedded in many networked bedside monitors and imaging systems. Because the FDA expects manufacturers to monitor for and respond to known exploited vulnerabilities, these KEV entries serve as a formal trigger for risk reassessment and patching cycles to maintain device safety and effectiveness.
Key Takeaways
- Attackers are actively exploiting Apache ActiveMQ (CVE-2026-34197) to execute unauthorized code via malicious data inputs in messaging middleware.
- Multiple Windows vulnerabilities (CVE-2026-21513, CVE-2026-21510) allow attackers to bypass shell protections and host security controls without local access.
- A legacy Windows Video ActiveX flaw (CVE-2008-0015) is being used to target older Class II diagnostic devices and imaging workstations.
- Apple iOS and iPadOS devices used as medical controllers are at risk from a kernel-level exploit (CVE-2023-41974) that allows malicious apps to bypass sandboxes.
- Cisco Catalyst SD-WAN Manager (CVE-2026-20128) contains a flaw where recoverable passwords can lead to lateral movement across hospital networks.
In this brief
- Critical Update for Messaging Middleware
- Widespread Exploitation of Windows Protection Mechanisms
- Legacy ActiveX and Out-of-Bounds Risks
- Mobile OS Kernel Vulnerabilities
- Infrastructure and Network Management Flaws
Why This Matters
For medical device manufacturers, a KEV listing is more than a technical alert. It represents a confirmed threat that the FDA monitors closely during post-market surveillance. Organizations must demonstrate they are managing these risks to prevent disruptions to clinical workflows or unauthorized access to patient data, especially when vulnerabilities allow for full administrative control of a device.
Critical Update for Messaging Middleware
CISA has confirmed that attackers are actively using CVE-2026-34197, an improper input validation vulnerability in Apache ActiveMQ.
Widespread Exploitation of Windows Protection Mechanisms
A series of Windows-related vulnerabilities have been added to the KEV list, including CVE-2026-21513, CVE-2026-21510, and CVE-2026-32202.
Legacy ActiveX and Out-of-Bounds Risks
The addition of CVE-2008-0015 to the KEV catalog highlights a trend of attackers targeting legacy medical workstations.
Mobile OS Kernel Vulnerabilities
Mobile devices in clinical settings are also under threat.
Infrastructure and Network Management Flaws
Two significant vulnerabilities target the underlying infrastructure used by healthcare providers.
How Blue Goat Cyber Helps
Blue Goat Cyber provides specialized medical device security services to help manufacturers navigate the complexities of KEV management and FDA compliance. We assist in vulnerability disclosure processes and help secure your legacy and next-generation systems against active threats. Learn more about our approach on our services page.
FAQ
What is the significance of a vulnerability being added to the CISA KEV list? It indicates the vulnerability is actively being exploited in the wild, requiring prioritized remediation.
How does the FDA view vulnerabilities listed in the CISA KEV catalog? The FDA expects manufacturers to monitor these updates and address them as part of their post-market cyber risk management.
Should I prioritize patching legacy systems if they are on an internal hospital network? Yes, because many of these vulnerabilities allow for lateral movement from compromised internal endpoints.
Get the next issue
Sign up for the weekly brief at /news/the-goats-weekly to stay informed on the latest regulatory updates and cybersecurity threats.