For nearly two decades, stolen credentials have been the focus of many analyses of security breaches. This picture is now changing. According to the Verizon 2026 Data Breach Investigations Report (DBIR), vulnerability exploitation has overtaken credential abuse as the top breach vector for the first time — accounting for 31% of breaches, compared to just 13% for credential theft. AI is accelerating attack development, compressing the window between vulnerability disclosure and exploitation from months to hours. ([Heise][1])

This shift is strategically significant. It means that companies can no longer rely solely on identity protection, phishing training, MFA, endpoint protection, or perimeter defense. While these controls remain essential, they do not address the central question that attackers are increasingly exploiting: Where is the company currently technically vulnerable?

AI is changing the pace of attacks

Generative AI and automation reduce the cost of reconnaissance, accelerate the development of exploits, and make it easier for attackers to scale their operations. The practical implication is clear: defenders must shorten the time between the disclosure, detection, prioritization, and remediation of vulnerabilities. In an environment where attackers can identify and exploit exposed vulnerabilities more quickly, vulnerability management is no longer just a periodic compliance measure. It is becoming an operational security discipline.

Vulnerability management closes the gap

Organizations must identify vulnerabilities before attackers exploit them. We view vulnerability management as the central process in which vulnerabilities in the IT infrastructure are uncovered, classified by severity, and remediation measures are recommended. This allows vulnerabilities to be eliminated before they become exploitable risks.

Vulnerability management examines the infrastructure from the attacker’s perspective and asks which systems, services, devices, and configurations are currently exposed. Greenbone explicitly positions this “outside-in” perspective as a complement to firewalls and other defense systems.

Why OpenVAS is the right vulnerability scanner right now

OPENVAS is our answer to this problem. We offer authenticated and unauthenticated testing, support for internet and industrial protocols, optimization of large-scale scans, and a powerful internal language for vulnerability testing. Our tests are sourced from a feed with daily updates, and have been since 2006.

Our enterprise vulnerability management solutions utilize more than 225,000 vulnerability tests, with new tests added daily. This is important because vulnerability management is only effective if it reflects the current threat landscape. A scanner that isn’t continuously updated will quickly be outpaced by attackers.

The economic case has become more compelling

AI is changing the economic case for vulnerability management. The need is not abstract. It is driven by measurable changes in attacker behavior. The 2026 DBIR found that the median time to full patching grew to 43 days (up from 32 days the year before) while organizations patched only 26% of vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, down from 38% in 2024.

When exploited vulnerabilities become the primary entry point into organizations, identifying and reducing the attack surface is one of the most effective ways to lower the likelihood of security breaches.

Conclusion: Security teams need continuous visibility

The lesson from the latest attack data is simple: organizations must assume that their disclosed vulnerabilities will be discovered, correlated, and exploited faster than ever before. Protecting login credentials remains essential, but it is no longer sufficient. The new priority lies in continuous visibility into the attack surface, risk-based prioritization, and rapid remediation.

This is exactly where Greenbone and OPENVAS come into play. In a threat landscape where attackers are increasingly exploiting known and detectable vulnerabilities, vulnerability management becomes the first line of defense: identify the vulnerability, understand the risk, and act before the attacker does.

 

[1]: https://www.heise.de/news/KI-Aera-Laut-Verizon-mehr-Angriffe-ueber-Luecken-als-mit-gestohlenen-Zugangsdaten-11299991.html?utm_source=chatgpt.com “AI Era: According to Verizon, More Attacks via Vulnerabilities Than with Stolen Credentials”

[2]: https://www.securityweek.com/verizon-dbir-2026-vulnerability-exploitation-overtakes-credential-theft-as-top-breach-vector/?utm_source=chatgpt.com “Verizon DBIR 2026: Exploitation of vulnerabilities overtakes credential theft as the most common attack method”

[3]: https://www.verizon.com/business/resources/reports/dbir/ “2026 Data Breach Investigations Report (DBIR) | Verizon”

[4]: https://www.greenbone.net/en/ “Vulnerability Management | Open Source and GDPR-Compliant”

 

Defenders deploying Fedora will be pleased to know that Greenbone’s OPENVAS SCAN now includes detection for Fedora 44 security advisories via the OPENVAS ENTERPRISE FEED and COMMUNITY FEED. Fedora Linux 44 was released on April 28th, 2026, and releases are typically maintained for 13 months. Fedora 44 has been assigned an expected end-of-life (EOL) date of May 19th, 2027. Support for Fedora 44 extends OPENVAS SCAN’s existing detection capabilities for Fedora security advisories going back to Fedora 7.

Greenbone’s OPENVAS SCAN has industry-leading detection for popular Linux distributions via authenticated Local Security Checks (LSC). Authenticated LSCs provide reliable detection because they analyze endpoint systems from within, build an asset inventory, uncover package-level software vulnerabilities, and identify other security misconfigurations.

Defenders seeking to detect and protect can try Greenbone’s OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

Operating system (OS) security updates are critical for maintaining a strong enterprise security posture. A single flaw may give an attacker the initial access needed to execute a costly cyber attack. OS vulnerabilities impact all aspects of IT infrastructure, including on-premises and cloud assets, fleets of staff workstations, development environments, container hosts, virtualization platforms, and edge infrastructure. New regulations and compliance requirements are also demanding greater accountability and placing heavier burdens on IT security teams. Defenders need improved visibility into emerging security risks to effectively prioritize remediation.

Support for Fedora 44 Security Advisories Is Here!

Fedora security advisories are published through the Fedora Updates System, also known as Bodhi. Each advisory includes a unique advisory identifier, affected package builds, update status, a list of associated CVEs, an overall severity rating, and testing status for the patch.

Organizations deploying Fedora 44 will be excited to know that Greenbone’s OPENVAS SCAN now supports vulnerability detection for Fedora 44 security advisories in both the OPENVAS ENTERPRISE FEED and the COMMUNITY FEED.

• Visit the official site for Fedora security updates
• View all OPENVAS SCAN vulnerability tests for Fedora 44

Summary

Linux systems form the backbone of many enterprise environments, supporting critical infrastructure, cloud platforms, staff workstations, development systems, container hosts, and production workloads. Maintaining Linux security requires consistent visibility into vulnerabilities and timely patch management. Effective OS-level vulnerability management reduces exposure to exploitation, supports regulatory compliance, and helps organizations maintain a resilient security posture.

Organizations deploying Fedora Linux can now use Greenbone’s OPENVAS SCAN to detect Fedora 44 security advisories via the OPENVAS ENTERPRISE FEED and COMMUNITY FEED. This adds security visibility for a newly released Fedora platform and helps defenders identify missing security updates across Fedora systems using authenticated package-level detection.

Fedora 44 support joins other popular Linux operating systems supported in both the OPENVAS ENTERPRISE FEED and COMMUNITY FEED, including Ubuntu, Debian, Suse, OpenSuse, Huawei EulerOS, OpenEuler, and Mageia. Greenbone’s OPENVAS ENTERPRISE FEED supports additional Linux distributions, including Amazon Linux, Oracle Linux, AlmaLinux OS, FortiOS, and many more.

Defenders can try Greenbone’s OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.

In April 2026, the cyber security landscape was flooded with news about Anthropic’s new Mythos bug-hunting AI and Project Glasswing. The rose-colored takeaway is that one year from now, software will be free from vulnerabilities because AI will find all of the flaws and vendors will patch. Major software companies will scan all their products pre-release and software vulnerabilities will be a thing of the past. However, reality likely has something else in store. Let’s dig into the evolving cyber risk landscape of April 2026.

Although several of this month’s top threats are mentioned here, many emerging vulnerabilities are not. OPENVAS SCAN doesn’t just detect the most critical flaws in your IT environment. Greenbone’s OPENVAS ENTERPRISE FEED adds thousands of new vulnerability tests per month to detect flaws in enterprise software applications, IT networking products, major OSs and browsers, Linux packages, productivity tools, agentic AI tooling, and more. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

 

Mythos or Reality? Time to Find Out

Project Glasswing created a media frenzy, yet transparency remained elusive. Anthropic did not release a public list matching its claim of “thousands of zero-day vulnerabilities” across “every major operating system” and “every major web browser”. This month, VulnCheck found only 75 published CVE records mentioning “Anthropic” and only 40 of those were credited to Anthropic researchers. So far, only one CVE is explicitly attributed to Project Glasswing: CVE-2026-4747 (CVSS 8.8).

The potential risk posed by offensive AI technology is high. The immediate advice from established cyber security authorities SANS Institute and the Cloud Security Alliance (CSA) is for organizations to double down on core cybersecurity measures. Ensure strong mitigating and preventative controls such as the principle of least privilege (PoLP), network segmentation to prevent lateral movement, patch faster, and be prepared for a possible influx of new high-severity CVEs. Also, where potential zero-day exploitation creates high risk, outfit endpoints with detection and response technologies, and be prepared to redeploy critical assets with minimal downtime. Third-party risk can also directly impact your organization’s operations. This is a more balanced interpretation of the near-term risk that organizations face.

Apache ActiveMQ Actively Exploited for RCE

CVE-2026-34197 (CVSS 8.8, EPSS ≥ 98th pctl) is a code injection flaw caused by improper input validation affecting Apache ActiveMQ Classic. Apache ActiveMQ is a popular Java-based message broker that handles asynchronous communication via message queues with support for flexible client options. CVE-2026-34197 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and multiple national CERT agencies have issued alerts globally [1][2][3][4][5][6][7][8]. Previous flaws in ActiveMQ are known to be leveraged in ransomware attacks. A full technical description and proof-of-concept (PoC) exploit kit are publicly available increasing the risk. Shadowserver reports roughly 8,000 exposed instances of ActiveMQ on the Internet.

The new CVE is considered a bypass of CVE-2022-41678 (CVSS 8.8). Exploiting CVE-2026-34197 does not require credentials on ActiveMQ v6.0.0–6.1.1 due to another unpatched missing authentication vulnerability, CVE-2024-32114 (CVSS 8.8). While authentication is required for exploiting other versions of ActiveMQ, default credentials are also a factor for unauthorized access. Incidentally, the Horizon3.ai security researcher who discovered CVE-2026-34197 attributed 80% of the process to a pre-Mythos version of Claude AI.

Greenbone’s OPENVAS ENTERPRISE FEED includes an active check and a remote banner version check for CVE-2026-34197. Users must upgrade to v5.19.4 or v6.2.3 for mitigation.

Trojan Documents Exploiting Adobe Acrobat and Reader

CVE-2026-34621 (CVSS 8.6, EPSS ≥ 92nd pctl) is a prototype pollution flaw [CWE-1321] that allows arbitrary code execution in the context of the current user. CVE-2026-34621 is exploitable via social engineering and requires a malicious PDF file to be opened. CVE-2026-34621 has been added to CISA’s KEV list and Adobe acknowledged active exploitation in a security bulletin. Numerous national CERT alerts have been issued globally [1][2][3][4][5][6][7][8][9][10][11][12][13][14].

According to security researchers, the flaw has been exploited since at least late 2025 as indicated by VirusTotal findings. The identified malware base64-decodes a payload and executes it as JavaScript to extract information from the victim’s computer, including the contents of local files, sends the data to the attacker’s command-and-control (C2) server, and awaits further instructions to execute. Another malware analysis report found that malware exploiting CVE-2026-34621 abuses multiple undocumented internal APIs in Adobe Acrobat and Reader in the attack chain.

Affected products are Acrobat DC Continuous 26.001.21367 and earlier, Acrobat Reader DC Continuous 26.001.21367 and earlier, and Acrobat 2024 Classic 2024 24.001.30356 and earlier on Windows and macOS. The OPENVAS ENTERPRISE FEED includes detection tests for all affected products on Windows [15][16][17] and macOS [18][19][20]. Users should update to a patched version immediately.

CVE-2026-3854: Authenticated RCE in Git Enterprise and GitHub.com

CVE-2026-3854 (CVSS 8.8) allows an authenticated attacker with push permissions to a repository to achieve RCE on a Git server. During a git push operation, user-supplied values are not properly sanitized before being included in internal service headers, potentially resulting in command injection [CWE-77] and RCE.

Several Git products including GitHub.com, GitHub Enterprise Server, and GitHub Enterprise Cloud are affected. A full technical description has been published and public PoC exploits have been sighted by CIRCL.lu. Although GitHub.com’s public infrastructure was affected, internal forensic review found no evidence of in-the-wild exploitation or indicators of compromise (IoC).

The OPENVAS ENTERPRISE FEED includes package-level detection for GitHub Enterprise Server. Users should upgrade to GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, or 3.19.4.

Patch Now! High-Severity Flaws in Core Linux Components

Let’s turn our focus to Greenbone’s support for Linux security advisories and what the OPENVAS ENTERPRISE FEED can do for security teams managing Linux assets by reviewing some of the top Linux flaws from April 2026.

Pack2TheRoot: Linux Privilege Escalation via Linux PackageKit

PackageKit is the D-Bus system-level API for managing software packages across different Linux package managers, including APT, DNF, RPM, and Pacman. CVE-2026-41651 (CVSS 8.8), dubbed Pack2TheRoot, is an attack chain that combines three separate bugs into an exploitable time-of-check-time-of-use (TOCTOU) race condition [CWE-367]. The flaw ultimately allows unprivileged users to install arbitrary packages as root.

Telekom Security published a technical description, including a detailed PoC exploit. Other PoC exploits can also be found online [1][2] and several national CERT alerts have been issued globally [1][2][3]. The OPENVAS ENTERPRISE FEED includes detection for CVE-2026-41651 as reported in Linux security advisories. PackageKit versions 1.0.2 through 1.3.4 are affected and users should update to version 1.3.5.

CVE-2026-33413: Authentication Bypass in etcd

etcd is a distributed key-value store designed for authoritative data coordination in Linux environments. CVE-2026-33413 (CVSS 8.8) is a missing authorization vulnerability [CWE-862] in etcd clusters with auth enabled. The flaw allows attackers to access sensitive etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. RCE is not described as a potential impact of CVE-2026-33413. However, an attacker may learn cluster topology, including member IDs and advertised endpoints, permanently remove historical revisions, disrupt watch, audit, and recovery workflows, or trigger denial of service (DoS) conditions.

etcd is often associated with Kubernetes, where it stores the cluster’s authoritative state, including nodes, pods, secrets, and control-plane metadata. However, since Kubernetes does not rely on etcd’s built-in authentication and authorization, typical Kubernetes deployments are not affected.

Germany [1] and France [2] have issued national CERT advisories for the flaw. Greenbone includes remote banner version check for detecting exposed etcd services affected by CVE-2026-33413. etcd versions 3.4.42, 3.5.28, and 3.6.9 contain a patch for CVE-2026-33413.

CVE-2026-34714: Trojan Vim Files Can Execute Arbitrary Code

CVE-2026-34714 (CVSS 8.6) allows arbitrary OS commands to be executed when a user opens a specially crafted file. These commands are executed with the privileges of the user who opened the file. CVE-2026-34714 is classified as a command injection flaw caused by improper neutralization of special elements [CWE-78].

There is no public PoC exploit for CVE-2026-34714, and it is not considered exploited in the wild. The OPENVAS ENTERPRISE FEED includes detection for CVE-2026-34714 as reported in Linux security advisories. The flaw was introduced in v9.1.1390 and patched in v9.2.0172.

CVE-2026-34078: Sandbox Escape and RCE via Malicious Flatpak Apps

CVE-2026-34078 (CVSS 10) is a complete sandbox escape of the flatpak run process caused by an exploitable TOCTOU race condition [CWE-367] when file paths provided as sandbox-expose options are replaced with symlinks post-verification. Once flatpak run mounts the swapped-out symlink in the sandbox, a malicious app can read and write arbitrary files on the host and exploit these unauthorized privileges to gain code execution.

There is no public PoC exploit for CVE-2026-34078, and it is not considered exploited in the wild. The OPENVAS ENTERPRISE FEED includes detection for CVE-2026-34078 as reported in Linux security advisories. Users should upgrade to Flatpak version 1.16.4 for mitigation.

Microsoft Risk: New Active Exploitation and Disclosure Controversy

A large Patch Tuesday included 173 new vulnerabilities in Microsoft’s core products. Nineteen were rated as “Exploitation More Likely”, and two were quickly added to CISA’s KEV list. Another critical flaw, CVE-2026-40372 (CVSS 9.1), was disclosed out-of-band. Also, a disgruntled security researcher abandoned the responsible disclosure process with Microsoft and published PoC exploit code for an otherwise undisclosed and unpatched vulnerability.

Let’s review some of these new high-risk Microsoft vulnerabilities:

• CVE-2026-33825 (CVSS 7.8, EPSS ≥ 87th pctl): A local privilege escalation (LPE) in Microsoft Defender allows a local user to gain SYSTEM-level permissions. Dubbed “BlueHammer”, the flaw was reportedly disclosed by a disgruntled security researcher, along with a PoC exploit. Technical analyses have also been published [1][2]. BlueHammer is exploited in the wild and has been added to CISA’s KEV list. Two additional zero-days disclosed by the disgruntled researcher, dubbed RedSun and UnDefend, remain unpatched by Microsoft despite having PoC exploits [3][4] and being observed in active attacks.
• CVE-2026-32201 (CVSS 6.5): A new actively exploited flaw in Microsoft SharePoint Server caused by improper input validation [CWE-20] allows an unauthorized attacker to perform spoofing over a network. Technical details about CVE-2026-32201 are not publicly available, and no public PoC exploit exists. Previous SharePoint flaws have been targeted by sophisticated nation-state threat actors [5][6][7]. CVE-2026-32201 comes soon after another SharePoint vulnerability, CVE-2026-20963 (CVSS 9.8, EPSS ≥ 90th pctl), was added to CISA’s KEV in April 2026.
• CVE-2026-32202 (CVSS 4.3, EPSS ≥ 92nd pctl): A protection mechanism failure [CWE-693] in Windows Shell allows an unauthorized attacker to remotely bypass Microsoft Defender security controls. The flaw has been added to CISA’s KEV list. A detailed technical report from Akamai shows that CVE-2026-32202 is an incomplete patch for CVE-2026-21510 (CVSS 8.8), which was actively exploited by APT-28.
• CVE-2026-40372 (CVSS 9.1): Changes introduced in version 10.0.6 of the AspNetCore.DataProtection package in .NET Core caused secret decryption failure for some users [8][9]. Following investigation, Microsoft determined that the update also allows unauthorized attackers to elevate privileges over a network. Technical details about CVE-2026-40372 are not publicly available, and no public PoC exploit exists. Versions 10.0.0 – 10.0.6 are affected by CVE-2026-40372 and users should update .NET Core runtime to version 10.0.7 and .NET Core SDK to version 10.0.107 or 10.0.203.

Greenbone’s OPENVAS ENTERPRISE FEED includes detection for all Microsoft CVEs referenced above and frequently updated dedicated families of detection tests for Microsoft products.

CVE-2026-2699: Unauthenticated RCE in Progress ShareFile with Public PoC

CVE-2026-2699 (CVSS 9.8, EPSS ≥ 96th pctl) allows unauthenticated read and write access to restricted configuration pages on Progress ShareFile Storage Controller. The flaw allows changing system configurations and potentially, unauthenticated RCE. CVE-2026-2701 (CVSS 8.8, EPSS ≥ 70th pctl) has a similar impact for authenticated users; an authenticated attacker can upload a malicious file and execute it, leading to RCE.

Progress Software’s products have frequently been targeted in ransomware attacks in the past [1][2][3][4]. Although neither CVE is considered actively exploited yet, watchTowr Labs released a full technical write-up covering both CVEs that includes PoC exploit code. ShadowServer data indicates that the majority of publicly exposed instances are concentrated in the United States. Italy [5] and France [6] have issued CERT alerts for the pair of new CVEs.

The OPENVAS ENTERPRISE FEED includes a remote exploitability check for CVE-2026-2699 and a remote banner version check that covers both CVE-2026-2699 and CVE-2026-2701. All versions of Progress ShareFile StorageZones Controller before 5.12.4 are affected.

CVE-2025-59528: Actively Exploited CVSS 10 Flaw in Flowise

CVE-2025-59528 (CVSS 10, EPSS ≥ 99th pctl) is a code injection flaw [CWE-94] affecting Flowise prior to version 3.0.6. User-defined configuration settings from the CustomMCP node are passed directly to the Function() constructor, which executes JavaScript expressions without security validation. CustomMCP runs with Node.js runtime privileges and has access to dangerous modules such as child_process and fs.

CVE-2025-59528 was disclosed in September 2025, but the flaw gained more attention [1][2][3] this month, when it was reported as actively exploited. Notably, PoC exploit code was revealed by the vendor at disclosure time. The OPENVAS ENTERPRISE FEED has included a remote banner version check for CVE-2025-59528 since it was published, along with numerous tests for other Flowise CVEs, and a product detection module for Flowise. Users should upgrade to version 3.0.6.

Authenticated Command Execution on Juniper Networks MX Series Devices

CVE-2026-33785 (CVSS 8.8) allows a local, authenticated user with low privileges to execute dangerous commands on the CLI on Juniper Networks Junos OS on MX Series. Exploitation could lead to complete system compromise of managed devices. The root cause is missing authorization [CWE-862] for request csds operations, which are only meant to be executed by high-privileged users.

CVE-2026-33785 is not considered actively exploited and PoC exploit code is not publicly available. The OPENVAS ENTERPRISE FEED includes a remote banner version check for CVE-2026-33785, and detection for many other flaws in Juniper Networks products. CVE-2026-33785 affects Junos OS on MX Series, 24.4 releases before 24.4R2-S3 and 25.2 releases before 25.2R2. This issue does not affect Junos OS releases before 24.4.

TrueChaos: Campaign Targeting TrueConf Client in Southeast Asia

CVE-2026-3502 (CVSS 7.8, EPSS ≥ 85th pctl) allows an attacker who can influence the update delivery path to TrueConf Client applications to inject and execute a tampered update payload. TrueConf is a video conferencing and unified communications product family often deployed on-premises in private networks for secure, sovereign communication.

CVE-2026-3502 was added to CISA’s KEV list and Check Point has published details on at least one attack campaign dubbed “TrueChaos” targeting the government agencies of an unnamed Southeast Asian country. The malicious update still upgraded the victim’s client from 8.5.1 to 8.5.2 to reduce suspicion.

Greenbone’s OPENVAS ENTERPRISE FEED includes an authenticated registry check to identify vulnerable installations of TrueConf Client. All versions prior to 8.5.3.884 are affected and users should upgrade TrueConf Client to version 8.5.3.884 or later.

Summary

AI-assisted vulnerability discovery has accelerated the sheer number of CVEs published each month. The increase reflects a combination of both AI-slop and legitimate critical-severity flaws in widely popular enterprise software. Anthropic’s Mythos could result in more high-impact disclosures, but so far evidence has been elusive. The SANS institute and CSA have advised organizations to essentially double their efforts towards core cyber security controls.

Defenders should employ continuous vulnerability management programs to reduce risk exposure with OPENVAS SCAN and the OPENVAS ENTERPRISE FEED for industry-leading vulnerability coverage. Greenbone produces thousands of new vulnerability tests per month to detect flaws in enterprise software applications, IT networking products, major OSs and browsers, Linux packages, productivity tools, agentic AI tooling, and more. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

Until recently, a digital product could be placed on the European market with essentially no binding cyber security standard attached to it. Manufacturers decided how much security to build in, and buyers had no assurances and no way to compare. When vulnerabilities emerged, there was no legal obligation to report or fix them. Products could be abandoned without prior notice, leaving them vulnerable to cyber attack.

The EU Cyber Resilience Act is the first EU regulation to require cyber security as a baseline condition for bringing digital products to market. Adopted in October 2024, its key obligations enter the enforcement phase in September 2026. [1] If you manufacture or distribute a digital enforcement phase in September 2026. [1] If you manufacture or distribute a digital product that is sold on the EU market, this regulation applies to you.

 

 

What Does ‘Cyber Resilience’ Actually Mean?

Cyber resilience refers to the ability to anticipate, withstand, recover from, and adapt to adverse cyber security events. The CRA operationalises cyber resilience at the market level by turning broad cyber security expectations into legally enforceable product obligations. Products must be designed to be resilient against attacks, and manufacturers must actively manage vulnerabilities throughout their product’s life cycle.

What Is a “Product With Digital Elements”?

The CRA uses the term ‘product with digital elements’ to define its scope. A product with digital elements is defined as any software or hardware product – and its remote data processing solutions – that can connect, directly or indirectly, to another device or network [2]. All things considered, this includes virtually all software that runs on a standard desktop computer, laptop, or mobile phone, and even simple hardware devices like a TV remote control.

The major product groups include:

• Enterprise software platforms: ERP systems, CRM software, security tools, and collaboration platforms
• Consumer hardware: smart home devices, connected appliances, routers, and IP cameras
• Industrial products: PLCs, SCADA systems, industrial sensors, and connected machinery
• Developer tools: IDEs, CI/CD platforms, and build tools with network connectivity
• Operating systems: desktop, server, and embedded OS products
• Mobile applications and other software components

 

Who Has to Comply?

The CRA places the primary obligation on manufacturers: the legal entities designing, developing, or producing products with digital elements and placing them on the EU market under their own name or trademark. But it does not end there. Importers and distributors also carry obligations. If you bring a third-party product to the EU market or make it available within the EU, you are responsible for verifying that it meets CRA requirements.

The CRA applies wherever you are based. A US software vendor selling to EU customers falls within its scope. Where a non-EU manufacturer’s products are sold in the EU by a European distributor, both parties carry obligations – the manufacturer as the entity responsible for the product, and the distributor as the entity making it available on the EU market.

The maximum fine for CRA non-compliance is €15 million or 2.5% of global annual turnover, whichever is higher – figures that concentrate board attention quickly.

What Is Explicitly Out of Scope?

• Products covered by equivalent sector-specific legislation, such as certain medical devices, aviation equipment, and motor vehicles, where existing rules provide comparable cyber security requirements
• Purely non-commercial open-source software (CRA still applies to open-source components of commercial products and open-source stewards)
• National security, intelligence, and military products
• Products not available on the market and designed exclusively for certain purposes, such as evaluation prototypes

What Does the CRA Actually Require?

At its core, the CRA requires manufacturers to do four things:

1. Build secure digital products: Design, develop, and produce products with cyber security in mind from the start – not bolted on afterward. Products must ship without known exploitable vulnerabilities, with a minimal attack surface, and in a secure default configuration.
2. Actively support product security: Provide security updates free of charge for at least five years. Responsibly document and manage security flaws. Maintain a Software Bill of Materials (SBOM) identifying all software components.
3. Report exploited vulnerabilities: From 11 September 2026, report actively exploited vulnerabilities to ENISA within 24 hours and submit full technical details within 72 hours. [3]
4. Assess and demonstrate conformity: Conduct a cyber security risk assessment before market placement. Maintain technical documentation for 10 years. Affix CE marking to demonstrate conformity. [4]

The September 2026 Deadline: Why It Matters Now

Most manufacturers are focused on the December 2027 full enforcement date – but the more immediately urgent deadline is September 11th, 2026, which kicks off vulnerability reporting obligations. That is less than five months away. From that date, any actively exploited vulnerability in your products must trigger a formal notification process to European cyber security authorities within 24 hours. [5]

Building and testing the internal process for that requires preparation. Not just a policy document, but an actual operational workflow, with tooling, escalation paths, and staff training. For security and engineering leads, September 2026 is the deadline that justifies budget conversations now — not after the 2027 full-enforcement date, when the window for orderly implementation will have closed.

What CRA Compliance Actually Requires in Practice

Meeting these obligations requires a technical foundation: you need to know what components are in your products, track which CVEs affect them, and have a way to prioritise what gets fixed first. In practice, this means vulnerability management tooling integrated into your pipeline — not as a compliance checkbox, but as a continuous process that produces a CRA-compliant audit trail. The CRA does not prescribe a specific tool, but it does prescribe the outcome: documented, traceable, repeatable vulnerability handling.

Done well, these processes can also make developers’ day-to-day work less chaotic: fewer emergency patch cycles, actionable alerts instead of raw CVE firehose output, and clear triage priority so the team is fixing what actually matters rather than everything at once.

If you are mapping out what that process needs to look like for your organisation, our upcoming posts will cover the core components of a CRA-ready vulnerability management workflow – including what an SBOM needs to contain, how exploitability scoring works in practice, and where open source tooling fits in.