Six more vulnerabilities have been added to the United States Cybersecurity & Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog, bringing the total added this year to 15.
CVE-2024-37079 was added to the naughty list on January 23 and is an Out-of-bounds Write Vulnerability in Broadcom’s VMware vCenter Server. Originally published in June 2024, this vulnerability could allow an actor with network access to achieve remote code execution via a specially crafted network packet.
The vulnerability has a CVSS score of 9.8, making it of Critical Severity, and it impacts the following versions of VMware vCenter Server:
- 8.0 before 8.0 U2d
- 8.0 before 8.0 U1e
- 7.0 before 7.0 U3r
By comparison, CVE-2024-37079 is a far newer and more alarming vulnerability, which was actually added to the KEV Catalog on the day of its publication. This zero-day is a Security Feature Bypass Vulnerability impacting Microsoft Office 2019 and has a High Severity CVSS score of 7.8.
According to Microsoft, “Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorised attacker to bypass a security feature locally”.
“Microsoft is announcing the availability of the security updates for Microsoft Office 2016 and 2019,” Microsoft said.
“Customers running these versions of Office should install the update for their product to be protected from this vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.”
CVE-2018-14634 is quite an old one, however, initially published in August 2018, with its CVE listing last updated in 2021. This is an integer overflow flaw in the Linux kernel's create_elf_tables() function, and could allow an unprivileged local user to escalate their privileges.
Kernel versions 2.6.x, 3.10.x and 4.14.x are all thought to be vulnerable.
Cyber Daily has already covered CVE-2025-52691 following its coverage by the Cyber Security Agency of Singapore. The CSA published an advisory covering this vulnerability in SmarterTools’ SmarterMail software on December 29, 2025, warning that “Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution”.
Users and cyber security experts had already been warning of malicious activity targeting this vulnerability, and now CISA has made it official.
CVE-2026-23760 is the official record of another flaw previously covered by Cyber Daily, and – again – impacts SmarterMail. This is an authentication bypass vulnerability that was patched earlier this month, but it appears hackers have already reverse-engineered the patch and are having a field day with this one.
In the words of watchTowr boss Benjamin Harris, “Assume breach, patch now and start hunting for compromise.”
Finally, CVE-2026-24061 is another recently published vulnerability that allows remote authentication bypass in GNU Inetutils’ telnetd. This vulnerability has a CVSS score of 9.8, making it a Critical Severity flaw.
According to a security update published lists.debian.org, updating inetutils packages is the best recommendation.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.