CMS Hybrid Cloud Launches the Q2 2026 CMS Enterprise Security Campaign

Summary

Starting May 21st, 2026, the CMS Hybrid Cloud Team will begin the Q2 2026 CMS Enterprise Security Campaign.

Any findings will be tracked via Jira tickets and assigned to the respective teams for remediation. The Q2 CMS Enterprise Security Campaign is targeting 11 Critical Common Vulnerabilities and Exposures (CVEs) that pose a high risk to CMS systems. All these findings have an Exploit Prediction Scoring System (EPSS) value greater than 70%.

Benefits

Resolving findings in customers' Jira tickets ensures CMS systems remain secure. Participating in proactive, routine security activities, such as this CMS Enterprise Security Campaign, reduces the risk of unauthorized and/or malicious activity.

The CMS Enterprise Security Campaign will target and identify the following vulnerabilities and CVEs:

Targeted Vulnerabilities and Common Vulnerabilities and Exposures (CVEs)

184452	Cisco IOS XE Unauthenticated Remote Command Execution (CVE-2023-20198) (Direct Check)	Critical
298510	BeyondTrust Remote Support (RS) < 25.3.2 Pre-Authentication RCE (BT26-02)	Critical
41028	SNMP Agent Default Community Name (public)	High
195111	RHEL 8 : glibc (RHSA-2024:2722)	High
237362	RHEL 8 : compat-openssl10 (RHSA-2025:7895)	High
62694	Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key	Medium
65821	SSL RC4 Cipher Suites Supported (Bar Mitzvah)	Medium
91572	OpenSSL AES-NI Padding Oracle MitM Information Disclosure	Medium
132101	Windows Speculative Execution Configuration Check	Medium
83875	SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)	Low

Note: Operating System (OS)-level findings are remediated by the CMS Hybrid Cloud Team for customers who receive regular CMS Gold Image patching services. Please note that CMS customers are responsible for patching any software installed on top of the provided CMS Gold Image.

Targeted Security Hub Controls

EC2.9	Amazon EC2 instances should not have a public IPv4 address	High
ECS.2	ECS services should not have public IP addresses assigned to them automatically	High

Expected Actions

CMS customers with findings will receive a Jira ticket.
- If you would like to obtain an exemption, you will need to complete an attestation.
CMS customers should resolve all received Jira tickets as soon as possible.
- For help, please refer to the "Questions or Concerns" section below for instructions on how to submit a Hybrid Cloud Support ticket.
Failure to resolve findings can lead to compromised systems that result in greater risks for unauthorized and/or malicious activity.
Unresolved system flaws will result in Plan of Action and Milestones (POA&Ms) being issued against the Federal Information Security Modernization Act (FISMA) boundary.

Timeline

May 21, 2026: CMS customers with findings will receive Jira tickets for the findings noted in the "Benefits" section above.

Additional Information

Questions or Concerns

We look forward to helping you and your team. Reach out to your IUSG Hosting Coordinator with any questions. For further help, please fill out a Hybrid Cloud Support ticket specifying Service as "Security Hub" and Request as "Security Hub Findings".

You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page.

This email was sent to NPxrji73qy@niepodam.pl using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244