CMS Hybrid Cloud Launches the Q1 2026 CMS Enterprise Security Campaign
CMS Hybrid Cloud Logo

Summary

Starting February 26th, 2026, the CMS Hybrid Cloud Team will begin the Q1 2026 CMS Enterprise Security Campaign.

Any findings will be tracked via Jira tickets and assigned to the respective teams to remediate risks. The Q1 CMS Enterprise Security Campaign is targeting a list of 74 Critical Common Vulnerabilities and Exposures (CVEs) that pose a high risk to CMS systems.

On March 10th, 2026, new AWS Security Hub Cloud Security Posture Management (CSPM) Guard Rails will be added to all accounts to prevent reintroduction of certain findings back into the CMS environment.

Benefits

Resolving findings in customers' Jira tickets ensures CMS systems remain secure. Participating in proactive, routine security activities, such as this CMS Enterprise Security Campaign, reduces the risk of unauthorized and/or malicious activity.

The CMS Enterprise Security Campaign will target and identify the following vulnerabilities and CVEs:

Targeted Vulnerabilities and Common Vulnerabilities and Exposures (CVEs)

Tenable Plugin ID Plugin Description Severity
298070 VMware ESXi 7.x < 7.0 Update 3w / 8.x < 8.0 Update 2e / 8.0 Update 3 < 8.0 Update 3f (VMSA-2025-0013) Critical
194927 Universal Forwarders < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0614) Critical
137702 Treck TCP/IP stack multiple vulnerabilities. (Ripple20) Critical
242325 SQLite < 3.50.2 Memory Corruption Critical
194921 Splunk Universal Forwarder 9.0.0 < 9.0.9, 9.1.0 < 9.1.4, 9.2.0 < 9.2.1 (SVD-2024-0304) Critical
264570 Security Updates for Microsoft Office Products C2R (September 2025) Critical
252954 RHEL 9 : libarchive (RHSA-2025:14130) Critical
237306 RHEL 9 : corosync (RHSA-2025:7201) Critical
205518 RHEL 8 : wget (RHSA-2024:5299) Critical
242958 RHEL 8 : sqlite (RHSA-2025:12010) Critical
190768 RHEL 8 : oniguruma (RHSA-2024:0889) Critical
298534 RHEL 8 : nodejs:20 (RHSA-2026:2422) Critical
291323 RHEL 8 : net-snmp (RHSA-2026:0750) Critical
252953 RHEL 8 : libarchive (RHSA-2025:14135) Critical
298012 RHEL 8 : freerdp (RHSA-2026:2081) Critical
216433 RHEL 8 : bzip2 (RHSA-2025:0733) Critical
100634 Redis Server Unprotected by Password Authentication Critical
201488 Red Hat Enterprise Linux SEoL (7.8.x <= x <= 7.9.x) Critical
63347 PostgreSQL Unsupported Version Detection Critical
279099 pgAdmin < 9.11 RCE Critical
296583 Oracle MySQL Server 8.4.x < 8.4.8 (January 2026 CPU) Critical
183396 Oracle MySQL Server 5.7.x < 5.7.44 (October 2023 CPU) Critical
209245 Oracle MySQL Connectors (October 2024 CPU) Critical
242293 Oracle Java SE Multiple Vulnerabilities (July 2025 CPU) Critical
296378 Oracle Database Server (January 2026 CPU) Critical
296368 Oracle Business Intelligence Enterprise Edition (OAS 8.2) (January 2026 CPU) Critical
182308 OpenSSL SEoL (1.1.1.x) Critical
182259 OpenSSL SEoL (1.0.2.x) Critical
201086 OpenSSL 1.0.2 < 1.0.2zk Vulnerability Critical
242246 NVIDIA Container Toolkit < 1.17.8 Multiple Vulnerabilities (July 2025) Critical
297910 Notepad++ < 8.8.9 Update Integrity Verification Vulnerability Critical
294862 MongoDB  5.0.x < 5.0.31 / 6.0.x < 6.0.20 / 7.0.x < 7.0.16  / 8.0.x < 8.0.4 Improper Check for Certificate Revocation (SERVER-95445) Critical
62758 Microsoft XML Parser (MSXML) and XML Core Services Unsupported Critical
73756 Microsoft SQL Server Unsupported Version Detection (remote check) Critical
64784 Microsoft SQL Server Unsupported Version Detection Critical
56998 Microsoft Office Unsupported Version Detection Critical
97085 Microsoft Office Unsupported Channel Version Detection Critical
102082 Microsoft Access Unsupported Version Detection Critical
172179 Microsoft .NET Core SEoL Critical
240709 IBM WebSphere Application Server 8.5.x < 8.5.5.28 / 9.x < 9.0.5.25 (7237967) Critical
185164 HPE OneView Authentication Bypass (CVE-2023-30908) Critical
298675 Google Chrome < 145.0.7632.45 Multiple Vulnerabilities Critical
276933 Fluent Bit < 4.0.12 / 4.1.x < 4.1.1 Multiple Vulnerabilities Critical
270139 F5 Networks BIG-IP : IPMI vulnerability (K000156992) Critical
160726 F5 BIG-IP RCE (CVE-2022-1388) Critical
46172 ClamAV Antivirus Detection and Status Critical
184452 Cisco IOS XE Unauthenticated Remote Command Execution (CVE-2023-20198) (Direct Check) Critical
201456 Canonical Ubuntu Linux SEoL (18.04.x) Critical
91811 Apache Struts 2 REST Plugin OGNL Expression Handling RCE Critical
182252 Apache Log4j SEoL (<= 1.x) Critical
249322 Apache CXF < 3.6.8 / 4.x < 4.0.9 / 4.1.x < 4.1.3 RCE (CVE-2025-48913) Critical
298088 Amazon Linux 2023 : soci-snapshotter (ALAS2023-2026-1421) Critical
282408 Amazon Linux 2023 : python3.11, python3.11-devel, python3.11-idle (ALAS2023-2025-1356) Critical
298108 Amazon Linux 2023 : openssl, openssl-devel, openssl-fips-provider-latest (ALAS2023-2026-1406) Critical
298122 Amazon Linux 2023 : nerdctl (ALAS2023-2026-1401) Critical
251374 Amazon Linux 2023 : lemon, sqlite, sqlite-analyzer (ALAS2023-2025-1151) Critical
298077 Amazon Linux 2023 : ImageMagick, ImageMagick-c++, ImageMagick-c++-devel (ALAS2023-2026-1383) Critical
298141 Amazon Linux 2023 : containerd, containerd-stress (ALAS2023-2026-1374) Critical
261755 Amazon Linux 2023 : cargo, clippy, rust (ALAS2023-2025-1162) Critical
298070 Amazon Linux 2023 : captree, libcap, libcap-devel (ALAS2023-2026-1389) Critical
178530 Amazon Linux 2 : tcpdump (ALAS-2023-2119) Critical
252294 Amazon Linux 2 : sqlite (ALAS-2025-2973) Critical
298117 Amazon Linux 2 : runc, --advisory ALAS2DOCKER-2026-096 (ALASDOCKER-2026-096) Critical
261341 Amazon Linux 2 : ruby, --advisory ALAS2-2025-2990 (ALAS-2025-2990) Critical
176945 Amazon Linux 2 : pcre (ALAS-2023-2082) Critical
294895 Amazon Linux 2 : net-snmp, --advisory ALAS2-2026-3124 (ALAS-2026-3124) Critical
266182 Amazon Linux 2 : libvpx, --advisory ALAS2-2025-3015 (ALAS-2025-3015) Critical
232354 Amazon Linux 2 : libglvnd (ALAS-2025-2782) Critical
214983 Amazon Linux 2 : gstreamer1 (ALAS-2025-2746) Critical
298079 Amazon Linux 2 : golang, --advisory ALAS2-2026-3136 (ALAS-2026-3136) Critical
139856 Amazon Linux 2 : gettext (ALAS-2020-1477) Critical
298107 Amazon Linux 2 : cri-tools, --advisory ALAS2-2026-3135 (ALAS-2026-3135) Critical
150973 Amazon Linux 2 : bzip2 (ALAS-2021-1652) Critical
59196 Adobe Flash Player Unsupported Version Detection Critical

Note: Operating System (OS)-level findings are remediated by the CMS Hybrid Cloud Team for customers who receive regular CMS Gold Image patching services. Please note that CMS customers are responsible for patching any software installed on top of the provided CMS Gold Image.

  • CMS Hybrid Cloud will deploy auto-remediation for the following Security Hub controls:
    • GuardRails / auto-remediations (Security Hub controls):
      • RDS.1 - RDS snapshot should be private (all accounts)
      • DynamoDB.2 - DynamoDB tables should have point-in-time recovery enabled (all accounts)
      • EC2.15 - Amazon EC2 subnets should not automatically assign public IP addresses (for Marketplace accounts to catch up from 2025 Q4)
    • CMS customer teams with existing findings for these Security Hub controls will receive a Jira ticket.
      • Teams will either need to resolve the finding or obtain an exemption.

Expected Actions

  • CMS customers with findings will receive a Jira ticket.
    • If you would like to obtain an exemption, you will need to complete an attestation.
  • CMS customers should resolve all received Jira tickets as soon as possible.
    • For help, please refer to the "Questions or Concerns" section below for instructions on how to submit a Hybrid Cloud Support ticket.
  • Failure to resolve findings can lead to compromised systems that result in greater risks for unauthorized and/or malicious activity.
  • Unresolved system flaws will result in Plan of Action and Milestones (POA&Ms) being issued against the Federal Information Security Modernization Act (FISMA) boundary.

Timeline

  • February 26th, 2026: CMS customers with findings will receive Jira tickets for the findings noted in the "Benefits" section above.
  • March 10th, 2026: CMS Hybrid Cloud will add new AWS Security Hub Cloud Security Posture Management (CSPM) GuardRails to all accounts to protect CMS systems from reintroducing findings back into the environment.

Additional Information

Questions or Concerns

We look forward to helping you and your team. Reach out to your IUSG Hosting Coordinator with any questions. For further help, please fill out a Hybrid Cloud Support ticket specifying Service as "Security Hub" and Request as "Security Hub Findings".

 
This email was sent to NPvpco4h14@niepodam.pl using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244