The agency added the flaw to the KEV list days after hosting providers confirmed active, ongoing attacks.