CISA's KEV expansion for GitLab and Dell marks a new edge-risk baseline
CISA's February 18 KEV additions for GitLab SSRF and Dell RecoverPoint show how edge and management systems are driving urgent patch prioritization.
From The Bit Baker Daily Briefing - February 22, 2026
CISA's February 18, 2026 KEV update added two vulnerabilities that should immediately change patch sequencing in many security programs: CVE-2021-22175 in GitLab and CVE-2026-22769 in Dell RecoverPoint for Virtual Machines.
On paper, this is routine policy activity. In practice, it signals a specific threat pattern: attackers continue to prioritize systems that sit near orchestration, backup, and management planes. These systems are operational force multipliers. When compromised, they can accelerate lateral movement and persistence in ways that commodity endpoint attacks cannot.
Why this KEV event is different from a generic patch notice
Every KEV entry means there is evidence of active exploitation, but not all entries carry the same defensive implications. GitLab and Dell RecoverPoint are important because they are often connected to sensitive workflows:
- source code and CI/CD operations
- backup and recovery paths
- privileged or semi-privileged infrastructure management
That combination creates asymmetric attacker value. Compromising one edge or management system can expose data, code pipelines, and control paths simultaneously.
For defenders, KEV updates in these categories should trigger incident-level urgency, not normal maintenance cadence.
CVE-2021-22175: why an older GitLab issue still matters
CVE-2021-22175 is an SSRF vulnerability in GitLab when internal webhook requests are enabled. The key lesson is not just technical. It is operational: older CVEs can remain exploitable in large environments where long-tail assets and inherited configurations persist.
This is exactly why attackers revisit "known" vulnerabilities. They count on drift, exceptions, and partial patch coverage across business units.
If your patch process heavily weights newest disclosures and deprioritizes older issues, this KEV addition is a direct warning that your risk model may be inverted.
CVE-2026-22769: hard-coded credentials in Dell RecoverPoint
CVE-2026-22769 is especially concerning because it affects recovery infrastructure. Backup and disaster recovery systems are strategically important in ransomware and post-exploitation playbooks. A vulnerability in this layer can undermine both resilience and response confidence.
CISA's KEV inclusion puts policy pressure on federal agencies, but private-sector defenders should treat the signal the same way. If attackers can access recovery infrastructure, they can disrupt restoration operations and expand blast radius during incidents.
What this means for vulnerability management teams
The practical implication is clear: KEV-driven triage needs tighter automation and stronger ownership.
At minimum, teams should do the following within the same business day as KEV updates:
- Map newly added CVEs to internal asset inventory.
- Validate exposure of internet-facing and privileged pathways.
- Prioritize patch or mitigation by business impact, not just CVSS.
- Launch targeted detection queries for known exploitation behaviors.
- Track remediation completion with executive-visible reporting.
Programs that rely on weekly governance cycles for KEV response are already behind.
What to watch next
- Further KEV additions targeting edge and management systems
- Evidence of exploitation chaining across backup, code, and identity layers
- Increased attacker reuse of older CVEs in complex environments
- Regulatory and insurer pressure tied to KEV response timelines
Bottom line
CISA's GitLab and Dell KEV additions reinforce a blunt operational truth: attackers continue to win with known vulnerabilities in high-leverage infrastructure.
Security teams that treat KEV updates as compliance paperwork will stay reactive. Teams that treat KEV as a dynamic threat-priority feed can materially reduce exposure windows.
The difference is not tooling. It is response tempo and ownership clarity.
This deep dive is a companion to CISA widens KEV as edge-system risk keeps climbing.