TechSignal.news
Cybersecurity

CISA Directive Forces Federal Agencies to Abandon CVSS-Only Patching

New federal mandate requires risk-based vulnerability prioritization using CISA's Known Exploited Vulnerabilities catalog. Legacy scanners that report only CVSS scores face obsolescence in government contracts.

TechSignal.news AI4 min read

Federal mandate rewrites vulnerability management requirements

CISA's Binding Operational Directive 26-04 requires all federal civilian agencies to prioritize security patches based on exploit risk rather than severity scores alone. Agencies must align vulnerability management policies with CISA's Known Exploited Vulnerabilities catalog, which tracks thousands of actively exploited CVEs. The directive is enforceable across hundreds of thousands of federal systems and will cascade into private sector procurement within months.

For enterprise buyers, this creates immediate pressure to replace tools that surface vulnerabilities without prioritizing them by actual threat. A scanner that reports 10,000 CVEs ranked only by CVSS becomes a liability when the board asks how many Known Exploited Vulnerabilities remain open and for how long.

What changes for vulnerability management buyers

The directive shifts the compliance baseline from "scan everything" to "fix what attackers use first." Federal agencies must now demonstrate KEV-driven remediation timelines, not just vuln counts. This standard will spread through three mechanisms: vendor roadmaps chasing federal revenue, cyber insurance questionnaires adopting KEV metrics, and board members asking why the company isn't using the same framework as regulated agencies.

Vendors already integrating KEV data gain an advantage. Tenable One, Qualys VMDR, and Rapid7 InsightVM highlight KEV coverage and can report time-to-remediate on catalog items. Cloud posture tools from Wiz, Palo Alto Prisma Cloud, and Orca map misconfigurations and CVEs to KEV status. Tools that only count vulnerabilities or sort by CVSS without overlaying exploit intelligence become harder to justify in RFPs.

Buyers should expect new line items in contracts: KEV-centric dashboards, SLA enforcement at the KEV level rather than global CVE level, and integration with ticketing systems like ServiceNow to encode KEV-driven remediation timelines. Legacy point scanners that cannot natively ingest and act on CISA's catalog will lose ground in competitive evaluations.

Oracle PeopleSoft zero-day raises ERP security visibility

Google's Mandiant team reported that threat group ShinyHunters exploited Oracle PeopleSoft vulnerability CVE-2026-35273 before Oracle released mitigations. Oracle has not confirmed zero-day status publicly, but exploitation reports indicate a window where no patch existed. PeopleSoft concentrates HR, finance, and ERP functions across thousands of large enterprises and public sector organizations.

For organizations still running PeopleSoft, this creates an immediate inventory task: identify external-facing instances, validate mitigations for CVE-2026-35273, and review logs for ShinyHunters indicators. The broader impact is strategic. This episode strengthens the case for ERP modernization as a security initiative rather than just an IT refresh. Migration from legacy PeopleSoft to Oracle Fusion Cloud or Workday eliminates entire attack surfaces that external attack surface management tools struggle to secure.

Buyers evaluating managed detection and response providers should ask how quickly the vendor ingested ShinyHunters IOCs and whether their service monitors ERP application logs, not just OS and network telemetry. ERP-specific detections separate credible MDR from generic log aggregation.

$250-per-month stealer demonstrates industrialization of credential theft

Researchers documented OnyxC2, a stealer and command-and-control framework sold to criminals for $250 per month. The tool targets more than 200 applications and browser extensions, uses encrypted payloads and DLL sideloading, and executes in memory to evade signature-based detection. The pricing and feature set position OnyxC2 as commodity infrastructure for credential harvesting.

This pricing point—lower than most enterprise SaaS subscriptions—means credential theft capabilities once limited to advanced groups are now accessible to any actor with a credit card. The 200+ application coverage includes enterprise browsers, developer tools, and crypto wallets, giving criminals comprehensive visibility into corporate environments.

For endpoint and identity security buyers, this underscores the inadequacy of signature-based antivirus. Tools must detect in-memory execution, DLL sideloading, and encrypted payload staging. Endpoint detection and response vendors like CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint compete on behavioral detection for these techniques. Identity teams should expect credential stuffing attempts to increase as stolen data feeds directly into C2 infrastructure. Multi-factor authentication becomes table stakes, with hardware tokens or phishing-resistant methods required for privileged accounts.

What to watch

Track how quickly your current vulnerability management vendor integrates new KEV additions and whether they surface KEV status in default views or bury it in export reports. If your ERP runs on legacy platforms like PeopleSoft, budget for external attack surface management and application-aware WAF, or accelerate cloud ERP migration timelines. For endpoint security, test whether your EDR detects the specific techniques OnyxC2 uses—in-memory execution and DLL sideloading—rather than relying on IOC feeds that criminals update faster than vendors.

The CISA directive creates a measurable standard: percentage of KEV items closed within agency-mandated timelines. Boards will adopt this metric whether you operate in the public sector or not. If your current tools cannot report it, you are behind.

Vulnerability ManagementCISAERP SecurityEndpoint SecurityFederal Compliance

Technology decisions, clearly explained.

Weekly analysis of the tools, platforms, and strategies that matter to B2B technology buyers. No fluff, no vendor spin.

More in Cybersecurity