On June 10, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04 (BOD 26-04), superseding two prior vulnerability management directives — BOD 19-02 and BOD 22-01 — with a risk-based framework that significantly compresses remediation timelines. Under the new directive, federal agencies must remediate the highest-risk vulnerabilities within three days of designation. The prior framework allowed between fifteen and thirty days depending on severity classification.
The directive reflects a shift in regulatory posture that has been building for several years. Rather than treating all software vulnerabilities as equivalent compliance obligations, CISA now formally distinguishes between vulnerabilities based on real-world exploitation evidence. The primary instrument for that distinction is the Known Exploited Vulnerabilities (KEV) Catalog, CISA's authoritative list of vulnerabilities confirmed to be actively exploited in the wild. A KEV designation is no longer simply an advisory signal — under BOD 26-04, it triggers mandatory remediation obligations with specific timelines attached.
For federal agencies, the operational implications are immediate. For federal contractors and regulated private-sector entities, the implications are contractual, financial, and legal.
Modern software contains millions of lines of code, making programming errors unavoidable. Most errors affect functionality. Others create security weaknesses — known as vulnerabilities — that attackers can exploit to gain unauthorized access, execute malicious code, or exfiltrate sensitive information.
A vulnerability becomes dangerous only when an attacker develops a method of exploiting that weakness. That method is an exploit. When an attacker exploits a vulnerability before the software developer has released a security patch — or before affected organizations have had a meaningful opportunity to apply one — the vulnerability is classified as a zero-day. The name reflects the defender's position: zero days to prepare before active exploitation began.
The legal significance of the zero-day classification lies in what it does to the timeline. A software bug that is privately reported to the vendor and patched before public disclosure gives organizations time to remediate. A zero-day offers none. The distinction appears directly in BOD 26-04, in cyber insurance policy language, in contractual representations about security posture, and in breach response timelines — which is why organizations and their counsel need to understand it.
Two confirmed exploitation campaigns in June and July 2026 illustrate the practical stakes of BOD 26-04 and the zero-day classification.
Following the issuance of BOD 26-04, CISA added a Microsoft SharePoint vulnerability to the KEV Catalog after confirming active exploitation. Federal agencies subject to the directive were required to remediate affected systems within the directive's accelerated timeline. The incident illustrated precisely the scenario BOD 26-04 was designed to address: a vulnerability moving from disclosure to active exploitation before organizations could complete remediation under prior timelines.
A separate campaign targeted Oracle PeopleSoft. Mandiant confirmed that attackers exploited a previously undisclosed vulnerability — CVE-2026-35273 — before any patch was available, meeting the technical definition of a zero-day. The campaign affected more than one hundred organizations. Confirmed victims include Nissan and the National Association of Insurance Commissioners, according to public reporting. Forensic investigations, breach notifications, and regulatory inquiries followed.
These two incidents, taken together, illustrate the dual reality that BOD 26-04 addresses: some vulnerabilities are exploited after disclosure but before remediation; others are exploited before disclosure occurs at all. Both scenarios now trigger mandatory federal timelines. Both have direct consequences for private-sector organizations operating within or adjacent to the federal supply chain.
Zero-day vulnerabilities are technical events with legal consequences. The following issues warrant immediate attention from general counsel, compliance officers, and their outside advisors.
Patch management and incident response protocols. BOD 26-04's three-day remediation window for the highest-risk vulnerabilities is not aspirational — it is a federal mandate. Organizations that contract with federal agencies should assess whether their current patch management infrastructure and incident response protocols are capable of meeting that timeline. A protocol designed for a fifteen-day window is not compliant with the new framework.
Procurement contracts and representations. Software procurement agreements, technology services contracts, and federal supply chain agreements executed before June 10, 2026 were negotiated against a different compliance baseline. Representations about security posture, vulnerability management practices, and incident response capabilities in those agreements may now be materially inaccurate. A contract review against BOD 26-04 requirements is a prudent step before the next renewal cycle or before a new federal contract is executed.
Regulatory reporting timelines. A KEV Catalog designation is now a legally significant event, not merely a technical advisory. Organizations should treat a KEV designation affecting their systems as a trigger for evaluating regulatory reporting obligations under applicable frameworks — whether federal contractor requirements, sector-specific regulations, or state breach notification laws. The window between exploitation confirmation and required disclosure may be shorter than existing incident response plans assume.
Cyber insurance coverage. Many cyber insurance policies define covered events, exclusions, or coverage conditions by reference to "known vulnerabilities." The date on which a vulnerability appears in the KEV Catalog — CISA's authoritative public record of confirmed exploitation — may determine whether a claim is covered, excluded, or subject to a coverage dispute. Organizations should review policy language with coverage counsel now, before an incident triggers that question under adversarial conditions.
Ongoing monitoring. BOD 26-04 established a dynamic framework — CISA will continue adding vulnerabilities to the KEV Catalog as exploitation is confirmed, each addition carrying mandatory remediation timelines for federal agencies and compliance implications for the broader federal contractor ecosystem. A one-time compliance review is not sufficient. Organizations need a monitoring function that tracks KEV additions affecting their technology stack on a continuous basis.
SOURCES
2. Cybersecurity and Infrastructure Security Agency, Known Exploited Vulnerabilities (KEV) Catalog.
3. SecurityWeek, CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability (July 2, 2026).
4. Rapid7, Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273) (July 2026).
5. IT Pro, Nissan Employee Data Exposed in Oracle PeopleSoft Zero-Day Attacks (June 30, 2026).
This alert is for informational purposes only and does not constitute legal advice. Receipt of this publication does not create an attorney-client relationship.
Maceira Zayas
San Juan, Puerto Rico & Washington D.C.
Summer Associate Aliana Rivera worked on this article.