From 14 Days to 72 Hours: CISA's KEV Deadline Squeeze and the SMB Patch Playbook for May 2026

On May 1, 2026, Reuters reported that CISA leadership is considering cutting the federal remediation deadline for Known Exploited Vulnerabilities from 14 days to 72 hours. The rationale cited in the reporting is the same one anyone running a SOC has been muttering since February: AI tooling — specifically Anthropic's "Claude Mythos" — has compressed the window between disclosure and weaponization to a level that makes a two-week patch cycle look quaint.

That policy is not yet final. But the operational reality already is. Between April 20 and April 25, 2026, CISA added 12 actively-exploited CVEs to the KEV catalog with federal deadlines of April 23, May 4, and May 25. Per trackr.live's mirror of the KEV catalog, the list now stands at 1,591 entries with 23 added in the last 30 days. VulnCheck data cited in the same Reuters story shows that 29% of 2025 KEV-listed flaws were exploited on or before the day the CVE was published.

For SMBs, none of this is technically binding. BOD 22-01 only applies to Federal Civilian Executive Branch agencies. The pressure flows downstream anyway. If you sell into government, partner with an MSP that serves government, run a contractor portal, or have a single client that bakes "follow CISA timelines" into their security addendum, you inherit the deadline. Insurance carriers are watching too. This is the moment to stop treating KEV as a federal compliance bulletin and start treating it as your monthly patch roadmap.

What landed on KEV in the last 30 days

The April 20 batch and the April 24-25 batch together cover the products most SMBs actually run. Per The Hacker News and SecurityAffairs, the consolidated list:

• CVE-2024-57726 / CVE-2024-57728 — SimpleHelp remote support software. Missing authorization (CVSS 9.9) chained with path traversal lets a low-privileged technician escalate to server admin and push payloads to every endpoint connected to that SimpleHelp instance. Arctic Wolf has been watching ransomware crews use this RMM as initial access since January 2025. Federal deadline May 25.
• CVE-2024-7399 — Samsung MagicINFO 9 Server path traversal. Federal deadline May 25. Mostly digital signage, but enterprise-grade and often forgotten on flat networks.
• CVE-2025-29635 — D-Link DIR-823X series command injection. Cheap edge router still common in branch offices. Federal deadline May 25.
• CVE-2023-27351 — PaperCut NG/MF improper authentication. Old flaw, re-listed because Clop and LockBit are using it again on patched-but-not-really print servers. Federal deadline May 4.
• CVE-2024-27199 — JetBrains TeamCity path traversal. Reads credentials and configuration off build servers. Federal deadline May 4.
• CVE-2025-2749 — Kentico Xperience path traversal. CMS, often public-facing. Federal deadline May 4.
• CVE-2025-32975 — Quest KACE Systems Management Appliance improper authentication. CVSS 10.0. Lets attackers impersonate any user with no password. Federal deadline May 4.
• CVE-2025-25064 — Synacor Zimbra Collaboration Suite. Federal deadline April 23 (already passed).
• CVE-2026-20133 / CVE-2026-20120 / CVE-2026-20124 — Cisco Catalyst SD-WAN Manager information disclosure cluster. Federal deadline April 23 (already passed).

The two May 4 deadlines and the May 25 set together cover four categories most SMBs run: remote support tooling (SimpleHelp), build pipelines (TeamCity), public-facing CMS (Kentico, PaperCut, Zimbra), and IT management appliances (Quest KACE). If you have any of these in production and you have not patched, you are now further behind a federal deadline than a federal agency would be allowed to be.

Why the 72-hour proposal matters even if it never passes

Whether CISA formally adopts a 72-hour deadline or stays at 14 days is a politics question. The operational message is the same either way: the agency that sees the most attack telemetry in the country has lost confidence in two-week patch cycles. The reporting attributes that to AI-accelerated exploit development — but the same pressure exists without AI. Ransomware crews have been weaponizing N-days inside 72 hours for two years. The KEV addition for CVE-2023-27351 PaperCut three years after the original disclosure is a reminder that organizations are still being compromised by patches Microsoft and PaperCut released in 2023.

The right SMB read is not "wait and see whether the deadline changes." It is "the deadline is whatever your attacker is doing, and your attacker is now sometimes faster than the patch." Plan for that.

The 72-hour SMB patch playbook

This is the realistic shape of what a small or mid-size org can run without a dedicated vulnerability management team. It maps to a 72-hour cadence and works just as well at 14 days. Five steps.

1. Subscribe and ingest KEV automatically

The catalog is published as JSON at a stable URL. There is no excuse for finding out about a KEV addition from a vendor newsletter four days late. Pull it on a schedule:

# PowerShell — pull KEV daily and flag entries newer than 7 days
$kev = Invoke-RestMethod -Uri "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
$cutoff = (Get-Date).AddDays(-7)
$kev.vulnerabilities | Where-Object {
    [datetime]$_.dateAdded -gt $cutoff
} | Select-Object cveID, vendorProject, product, dueDate, requiredAction |
    Format-Table -AutoSize

# Bash equivalent
curl -s https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \
  | jq -r '.vulnerabilities[]
    | select(.dateAdded | fromdate > (now - 7*86400))
    | "\(.cveID)\t\(.vendorProject) \(.product)\tdue \(.dueDate)"'

Wire that into your daily standup, a Slack/Teams webhook, or your ticketing system. The goal is that a new KEV addition becomes an open ticket inside one business day, not a quarterly audit finding.

2. Build a one-page inventory mapping

You cannot patch what you do not know you run. For each KEV entry, you need a yes/no answer to "do we have this?" in under five minutes. That requires a software inventory tied to product names CISA uses (SimpleHelp, PaperCut NG/MF, Quest KACE, JetBrains TeamCity, etc.). Free tools that get an SMB 80% of the way there: reNgine for external attack surface, nuclei for service fingerprinting, and your endpoint management agent's "installed software" export for internal assets. Pivot that into a single spreadsheet keyed by CISA's product strings.

3. Triage by exposure, not by CVSS

CVSS is a property of the vulnerability. Exposure is a property of your environment. A CVSS 10.0 Quest KACE flaw on an internal-only appliance behind a VLAN is genuinely lower risk than a CVSS 7.5 path traversal on a public-facing TeamCity instance. For each "yes we have this" hit, capture three facts:

• Internet-facing? If yes, you are at 24-hour urgency regardless of the federal deadline.
• Credentialed access required? Unauthenticated exploitation moves to the top of the queue.
• Privileged users on the host? A patch lag on a developer's TeamCity server is a credential leak waiting to happen. Treat it like an identity incident in waiting.

4. Run a compromise check before you patch

For everything on the May 4 and May 25 list, do not assume "we patched, we are done." Some of these have been quietly exploited for months. Specifically:

• SimpleHelp. Check Technician audit logs for new API keys created between January and now. Review the SimpleHelp/configuration/serverconfig.xml file for unexpected admin accounts. Arctic Wolf's writeup documents the campaign indicators.
• TeamCity. Pull build configuration changes and review parameter exports for the last 90 days. Path traversal lets attackers read config/projects/*.xml for credentials.
• PaperCut. Inspect the web admin user list and the print-and-device.log for unexpected automation. Yes, again, three years after the original advisory.
• Quest KACE. Review every admin login in the last 60 days. CVSS 10.0 unauthenticated impersonation is exactly the kind of thing that hides in logs as a normal admin session.

If anything looks anomalous, scope it as an incident before you patch. Patching first destroys evidence.

5. Track to closure with a public-facing date

The single biggest cultural win you can get out of the KEV cadence is making your patch SLA visible to leadership. A simple monthly tile: "open KEV items past CISA deadline: 0." Anything other than zero needs an owner and a date. This is the artifact that gets you out of "we will patch when we get to it" and into "we are inside or outside the federal clock." Even a 14-day window forces a discipline most SMBs do not have today.

What if the 72-hour rule actually ships

If CISA does pull the trigger and standardize a 72-hour deadline across all new KEV additions, three things change for SMBs:

Maintenance windows die. "We patch on the second Saturday of the month" cannot survive 72 hours. You will need at minimum a same-week emergency patch path, and ideally a tested rollback for everything in step 2's inventory. Now is the time to dry-run that path on a benign update before you need it for real.

Vendor SLAs matter more than they did. If your SaaS vendor patches their hosted instance in five days, your 72-hour clock is moot — you are at their mercy. Audit your top ten SaaS contracts for KEV-aligned remediation language. If it is not there, add it on renewal.

Compensating controls become the primary control. Network segmentation, WAF rules, and EDR signatures bought against the IOC will, in many cases, be the only thing standing between disclosure and patch. The orgs that already have those layers in place will feel the squeeze. The ones that do not will feel a breach.

None of the above requires enterprise budget. It does require deciding, today, that KEV is a roadmap and not a federal news item. The fact that CISA is even considering 72 hours should be the signal: the patch clock has already moved. The directive is just catching up.