Blog
CISA KEVLegacy VulnerabilitiesConfickerContinuous Validation

Conficker and Aurora Are Still on CISA KEV: the 2026 Legacy Attack Surface in Numbers

CISA's May 20, 2026 KEV update added five CVEs from 2008-2010 — including the original Conficker and Aurora bugs — plus two new Microsoft Defender flaws. The legacy attack surface is still alive.

Zero Hunt Research··9 min read

On 20 May 2026, CISA added seven CVEs to the Known Exploited Vulnerabilities catalog. Five of them were published between 2008 and 2010. One is MS08-067 — the Windows Server Service bug that became Conficker. Another is CVE-2010-0249 — the Internet Explorer use-after-free that drove Operation Aurora against Google, Adobe, Yahoo, Juniper, Symantec, Northrop Grumman and Dow Chemical. Eighteen years after disclosure, both still produce enough live exploitation evidence in 2026 that CISA put them back on the catalog with a fresh federal remediation clock. The remaining two entries in the same batch are brand-new May 2026 Microsoft Defender bugs. The juxtaposition is the story: the worm-era attack surface and the AI-era attack surface are now on the same KEV page.

The May 20, 2026 batch, in full

The CISA alert lists seven entries. Five are legacy. Two are 2026.

CVE Year Product Why it is famous
CVE-2008-4250 2008 Windows Server service (MS08-067) The Conficker worm — ~9 million infected machines by early 2009 across 190+ countries
CVE-2009-1537 2009 DirectShow / DirectX (quartz.dll) NULL byte overwrite via crafted QuickTime media — Windows 2000/XP/Server 2003
CVE-2009-3459 2009 Adobe Acrobat & Reader Heap-based buffer overflow, in-the-wild PDF exploit chain
CVE-2010-0249 2010 Internet Explorer 6/7/8 "Aurora" — the IE zero-day behind Operation Aurora against Google et al.
CVE-2010-0806 2010 IE 6/7 (iepeers.dll) Use-after-free, drive-by web-page exploit, MS10-018
CVE-2026-41091 2026 Microsoft Defender Elevation of privilege, shipped in May 2026 Patch Tuesday
CVE-2026-45498 2026 Microsoft Defender Denial of service

CISA does not add a CVE to KEV unless it has current exploitation evidence. The criteria are explicit: "reliable evidence indicating active exploitation in the wild". Under BOD 22-01, FCEB agencies have a remediation deadline. The deadline is not the part that interests the rest of the world — it is the attestation part: CISA is saying, on the record, that someone, somewhere, is still hitting these bugs and getting code execution.

Conficker is the canary

MS08-067 — the bug that became Conficker — should be a museum piece. Microsoft shipped the patch in an out-of-cycle release on 23 October 2008. The worm peaked in early 2009. Conficker spread by exploiting an RPC handler in the Windows Server service over SMB; secondary propagation used dictionary attacks against administrator passwords and removable-media autorun. It was the largest computer worm event since SQL Slammer in 2003. ~9 million machines infected, in over 190 countries.

In a clean enterprise, the affected platforms — Windows 2000, Windows XP, Windows Server 2003 — should not be carrying production traffic in 2026. They have been end-of-support for 6 to 10+ years depending on the SKU. So CISA adding MS08-067 to KEV today says one operational thing very clearly: someone is finding reachable Windows 2000/XP/Server 2003 hosts on real networks in 2026, and the SMB/RPC pathway is still open.

That host population is not on a screen anywhere. It is the substrate underneath the asset inventory:

  • Factory floor PCs that drive PLCs. Replacing them means recertifying the line.
  • Hospital lab instruments. The MRI console runs an embedded XP that the OEM never re-released.
  • Building-access badge controllers. Embedded Windows image with the vendor's support contract long expired.
  • "Temporary" jump hosts and VMs whose owners left the company three reorganisations ago.
  • Vendor-managed appliances. A box on the network with a CMOS sticker and a phone number on it.
  • ATM fleets, kiosk images, point-of-sale, signage rendering pipelines.

None of those are in the asset register. None of them get a patch ticket on Patch Tuesday. All of them speak SMB.

Aurora is the second canary

The other famous bug in the batch — CVE-2010-0249 — has a different shape but the same root cause. It is an Internet Explorer use-after-free, exploited in 2009-2010 by a Chinese state-aligned operation to compromise Google, Adobe, Juniper Networks, Yahoo, Symantec, Northrop Grumman, Dow Chemical and at least a dozen others. The exploit ran via spear-phished spear-link to a malicious page; the JavaScript on the page constructed the use-after-free condition; a downloader and RAT followed.

IE6/7/8 are not browsers anyone is browsing the web on in 2026. But the IE engine — MSHTML.dll, iepeers.dll, and friends — survives inside:

  • Legacy line-of-business apps with embedded WebView controls.
  • Industrial HMIs that render maintenance UIs in an IE7-compatibility shim.
  • VBScript-based intranet portals on Server 2008 R2 boxes that nobody migrated.
  • Document and ticketing systems with bundled WebBrowser controls.

The exploit chain still works against any of those if the right content reaches them. The right content reaches them whenever the user opens an "internal" PDF, a workflow link, or an automation that pulls a remote payload.

The Defender twist

The two 2026 CVEs in the same batch deserve their own paragraph. Microsoft's May 2026 Patch Tuesday rolled 130 CVEs, 30 rated Critical. Two of them — CVE-2026-41091 and CVE-2026-45498 — are in Microsoft Defender itself. Same KEV batch as Conficker. The tool that is supposed to defend the endpoint is now the local privilege escalation path on the endpoint.

That is not a one-off accident. EDR and AV agents are privileged, network-attached, often opaque to the host owner, and increasingly attractive primary targets. We have spent two years watching the same pattern in SentinelOne, CrowdStrike, ESET, Trellix bypasses shipped quietly in Patch Tuesday clusters. The defender is the new pivot.

What this means for asset inventory and patch cadence

Take the May 20 batch as a single data point and the conclusion writes itself:

  • The "we patched it years ago" position is not a defence. Patched on the inventoried hosts ≠ patched on the network. KEV exists precisely because the inventory is wrong.
  • Annual or quarterly pentests do not see this surface. Scope is defined by the customer. The customer's scope is its inventory. Its inventory is wrong. The pentest validates the part that was already documented; the un-documented part stays un-tested.
  • Network-attached EDR/AV agents are now a target, not just a control. A KEV-listed Defender CVE is a different conversation from a KEV-listed browser CVE: it is on the box that is supposed to be looking for everyone else's CVEs.
  • The wire is now the most honest sensor. A factory PLC bridge does not run EDR. A medical instrument does not run EDR. The thing that does see them is the network. Conficker's propagation signature on SMB has not changed since 2009. Neither has the C2 polling shape. What changed is whether anyone is listening on the wire.

"Show us, on the day before the breach, every Windows 2000/XP/Server 2003 host that was reachable inside your perimeter from a workstation VLAN."

Most CISOs cannot answer that today. The auditor question for 2027 is the same one with a date appended.

Patch cadence vs continuous validation

The conventional answer is "improve patch management". This is correct and insufficient. Patch management is a function of the inventory; the inventory is the broken thing. The right answer is continuous validation independent of inventory:

  1. Discover every host on the network, including the ones nobody put on the asset list. Sweep ARP/MAC, broadcast domains, multicast, mDNS, SSDP, LLMNR, BACnet, Modbus, ICCP, plus passive observation of every flow. The hosts that show up here but not in the CMDB are the ones with the legacy exposure.
  2. Validate against the actual KEV class, on each host, in code. Not "is the version on the banner old enough to be vulnerable" but "send the actual MS08-067 RPC sequence into a sandbox copy and see whether the call returns".
  3. Repeat continuously. Cron, change-trigger, new asset on the perimeter, new VLAN brought up — the cadence is not "Q4 audit" but "within the hour".
  4. Watch the network for the propagation signature. The Conficker SMB scan is one of the most distinctive traffic patterns in the catalogue. Aurora's C2 polling shape, even rendered through a modern proxy, has a tell. The detection surface is the wire, not the endpoint.

That is the operational profile the May 20 KEV update demands. Patch what you can. Validate against what you cannot. Listen to the wire either way.

How Zero Hunt closes the legacy-CVE loop

This is what Zero Hunt's platform was built for. Two of the three pillars apply directly to the May 20 scenario.

Pillar 1 — AI Generative Pentest. The 10-agent swarm — Recon, Exploit, Web, Credential, Post-Exploit, Pivot, Tactic, Report, plus an AI Controller — runs continuously, not on an annual cadence. Recon enumerates every reachable host independent of the customer-supplied inventory: ARP, mDNS, broadcast, passive flow inference, banner grab. Exploit generates a per-target validation chain for the CVE class — including MS08-067-shaped RPC sequences, Aurora-shaped use-after-free triggers, Adobe Reader heap-overflow payloads — in a sandboxed container, never on the host. Every validation is backed by AI Gym: 142+ self-evolving security skills backtested against Vulhub (316/317 exercises across 16 classes), NYU CTF Bench (200 CSAW tasks), Cybench, and Vulhub-Bench (314 CVE-based black-box tasks) before any skill touches a customer network. Legacy CVEs are not "out of scope" because they are old; they are in scope because they are still on the wire. Findings are ECDSA-signed at write time, so when the auditor asks "what did you see on the day", the answer is a chain of custody, not a screenshot.

Pillar 2 — AI Traffic Analysis. A factory Windows 2000 PLC bridge cannot run an EDR agent; the OEM contract forbids it, and the firmware would not survive an install. What it cannot avoid is being on the network. Zero Hunt's proprietary deep-learning traffic model, with four parallel inference heads (suspicious traffic, malware classification, attack-type identification, application fingerprinting), runs at 2.7+ Gbit/s baseline on the appliance GPU and observes every flow on the segment. Conficker's SMB scan, Aurora-class C2 polling, Adobe Reader exploitation telemetry on the wire — all of them have detection surface on a model trained on billions of PCAP sequences. The point is not to retrofit endpoint protection onto a 2003 box. The point is to see the propagation event in real time, not in next morning's SIEM digest.

The platform runs 100% on-prem, with no cloud callbacks and no external LLM APIs — the same constraint legacy industrial networks have always lived with, and the same constraint the next twelve months of EU regulatory enforcement will increasingly require. Mapping every finding to 32 frameworks (NIS2, DORA, ISO 27001, NIST CSF, MITRE ATT&CK, plus 27 more) is automatic; the auditor sees the same evidence the engineering team sees, signed, queryable, and dated to the moment of the scan.

The story of the May 20 KEV update is that the attack surface is older than your asset inventory and longer-lived than your patch ticket. The response is to stop testing against the inventory and start testing against the network. See the platform — and if you want a walkthrough of the AI Gym backtest on a Conficker-class skill or a Defender-CVE replay, reach out.