CISA just gave the Conficker bug a 2026 deadline

On May 20, 2026, CISA handed federal agencies a remediation deadline of June 3 for CVE-2008-4250. That’s MS08-067, the Windows Server Service bug that powered the Conficker worm and got reused by Stuxnet. It is roughly seventeen and a half years old. It now has a fresh federal due date.

That’s the kind of detail that’s easy to file under “bureaucratic housekeeping” and move on. Don’t.

The obvious read

The conventional take is that CISA cleaned out a drawer. Seven new entries pushed the Known Exploited Vulnerabilities catalog from 1,592 to 1,599 (version 2026.05.20), and five of them read like a museum exhibit: MS08-067, the Internet Explorer flaw behind Operation Aurora, a DirectShow QuickTime parsing bug, an IE iepeers.dll use-after-free, and an Adobe Reader heap overflow. All from 2008 through 2010. The natural reaction is to assume someone is backfilling a list for completeness and that none of it touches a 2026 estate where XP and Server 2003 are long gone.

The natural reaction is wrong, and the reason it’s wrong is the whole point of the catalog.

The pattern

KEV is not a vulnerability database. It’s an operational threat list with three gates: an assigned CVE ID, a clear remediation action, and reliable evidence of active exploitation in the wild. A public proof-of-concept alone does not qualify. So when a 2008 bug shows up in a 2026 drop, the catalog isn’t making a historical claim. It’s making a present-tense one: attackers are using this right now, and finding targets.

The split in this batch is the tell. Five fossils landed alongside two genuinely new Microsoft Defender bugs in a single drop. Read that way, the message stops being “we’re tidying up” and becomes “attackers are working the back-catalog, and it’s still paying off.” Someone out there is scanning for unpatched, end-of-life systems that never got decommissioned, and the hit rate is high enough that CISA saw current exploitation evidence worth a catalog entry.

This isn’t a one-off. In January 2026, CISA added CVE-2009-0556, a seventeen-year-old PowerPoint code-injection flaw, citing active exploitation. The Register called it a zombie Office bug. The May 20 batch is the same signal, scaled up: not one relic, but five in a row.

The evidence

Start with the worst of the five. CVE-2008-4250 is a pre-authentication stack buffer overflow in the Windows Server service’s NetprPathCanonicalize RPC handling. Microsoft shipped it as an out-of-band emergency bulletin on October 23, 2008, the rare move that means exploitation was already in progress. Within weeks, the Conficker worm turned it into the largest worm outbreak since SQL Slammer, with estimated peak infections of 9 to 15 million machines across roughly 190 countries, including the French Navy, the UK MoD, and Germany’s Bundeswehr. Stuxnet later reused the same bug as a lateral-movement vector to reach air-gapped ICS networks.

The rest of the legacy five are smaller in blast radius but identical in character. CVE-2010-0249 is the IE 6/7/8 use-after-free behind Operation Aurora, the spear-phishing campaign McAfee disclosed in January 2010 that hit 34-plus organizations including Google and Adobe and escalated into a diplomatic incident. CVE-2009-1537 exploited Windows’ own QuickTime parser inside quartz.dll, present whether or not Apple QuickTime was installed, and reachable through IE media playback. CVE-2010-0806 is an iepeers.dll use-after-free in IE 6 and 7 that circulated as a zero-day with working exploit code, which pushed Microsoft to pull the patch forward to March 30, 2010, two weeks early. And CVE-2009-3459 is a heap overflow in Adobe Reader and Acrobat 7.x through 9.x, triggered by a crafted PDF that an enterprise browser would happily open inline.

These bugs never actually died. Trend Micro counted roughly 330,000 Conficker detections in 2017 alone, nine years after disclosure, clustered in healthcare, government, and manufacturing. Its 2022 research found Conficker variants still spreading in OT networks via removable drives and ADMIN$ brute-force.

The macro telemetry agrees, with a caveat. GreyNoise’s 2026 State of the Edge report found pre-2015 CVEs generated 7.3 million malicious sessions in the second half of 2025, roughly four times the traffic of 2023 and 2024 CVEs combined. The 2026 Verizon DBIR put median full-remediation time at 43 days, with the share of KEV entries fully remediated falling from 38% to 26% year over year and about 16% of KEV vulns going entirely unremediated. Both figures reached us through secondary reporting because the primary documents blocked direct retrieval. They’re well-corroborated, but treat them as not primary-verified. The direction is the part that holds: old exploits draw heavy traffic, and remediation is getting slower, not faster.

What this means for prioritization

For most shops, the action on the legacy five is not “patch.” The affected products are retired, so there’s nothing to apply. When a KEV product is end-of-life, the required-action text shifts to “discontinue use of the product if mitigations are unavailable.” For unpatchable XP and Server 2003-era software, that clause is the instruction.

So the work is inventory and decommission, not deployment. The honest version of the priority call:

• Find the remnants before you defend them. Hunt for SMBv1 listeners on TCP 445/139, legacy IE user-agents, and old Reader processes. SMBv1 has been off by default since Server 2019 and Windows 10 1709; if it’s enabled, something re-enabled it, and that’s its own finding.
• Segment what you can’t kill. Where XP or 2003 survives for a reason, block TCP 135/139/445 at the boundary per NIST SP 800-123 and virtual-patch via IPS.
• Don’t assume a long grace period. BOD 22-01’s general scheme gives older CVEs longer windows, but CISA assigned this entire batch a single near-term due date of June 3, 2026. The directive binds federal civilian agencies; everyone else should read it as a prioritization floor.

The two fresh bugs are a different job: hygiene, not archaeology. CVE-2026-41091 is a Microsoft Defender link-following local privilege escalation (CWE-59). Defender runs as SYSTEM on every Windows endpoint, and link-following bugs in high-privilege processes are a reliable escalation pattern, so the shape is concerning even though there’s no verified CVSS score and no third-party technical analysis of this one yet. CVE-2026-45498 is a Defender denial of service; confirmed detail is limited to a local-vector, low-complexity disruption of Defender, not code execution. Both are thinly sourced right now. The durable action is to keep Defender’s security-intelligence and platform/engine updates flowing, since the platform and engine updates ship out-of-band and don’t ride Patch Tuesday.

What to watch

The thing that would confirm the pattern is the back-fill rate. Cyble counted 94 pre-2024 CVEs added to KEV in 2025, about 34% up on prior years. If 2026 keeps that curve climbing, the “attackers are mining the back-catalog” read stops being an interpretation of one batch and becomes the baseline. If it flattens, this drop was a cluster, not a trend.

There’s a quieter variable worth holding lightly. CISA has operated under budget and staffing pressure through 2025 and 2026. Whether that changed KEV triage cadence isn’t documented anywhere, so it’s background, not a claim. But it’s the kind of thing that would distort the back-fill signal in either direction, and it’s worth keeping in the frame when you read the next batch.

Here’s the reframe. The age of a CVE tells you when it was found. It tells you nothing about whether it’s being used today. A seventeen-year-old bug with a June 3 deadline isn’t a filing error; it’s a measurement of how much unretired infrastructure is still answering on port 445. The catalog isn’t asking you to patch Windows XP. It’s asking whether you’re sure you don’t have any.

That gap, between what you decommissioned on paper and what’s still on the wire, is exactly the kind of thing a daily KEV read is built to surface before it becomes a deadline. We track every catalog addition the day it lands, including the fossils.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• CISA KEV criteria / active-exploitation definition
• CISA Adds Two KEVs (CVE-2009-0556) — 2026-01-07
• The Register CISA Office relic — 2026-01-08
• Microsoft MS08-067 bulletin — 2008-10-23
• SANS ISC Downadup/Conficker MS08-067 — 2009-01
• CAIDA Network Telescope Conficker/MS08-067
• Symantec W32.Stuxnet Dossier
• McAfee Labs Operation Aurora — 2010-01
• Krebs on Security Aurora — 2010-01
• Microsoft MSRC blog quartz.dll QuickTime parsing — 2009-05
• Microsoft Security Advisory 981374 (CVE-2010-0806) — 2010-03
• Microsoft MS10-018 bulletin — 2010-03-30
• Adobe Security Bulletin APSB09-15 — 2009-10
• Trend Micro Conficker/Downad 9 Years — 2017-12
• Trend Micro Cybersecurity for ICS Part 2 — 2022-01
• GreyNoise 2026 State of the Edge
• SecurityWeek Verizon DBIR 2026
• Microsoft Stop using SMB1
• NIST SP 800-123
• CISA BOD 22-01
• Microsoft Learn Defender AV updates
• Cyble 2025 CISA KEV growth
• CyberScoop CISA budget/staffing