The three CVEs cover path traversal allowing unauthorized file read and manipulation (34908, 34909) and command injection via improper input validation (34910). All are actively exploited, which is what earned them the KEV listing. Federal civilian agencies are past their window — patch verification should be happening now, not starting.