Key Takeaways
- CISA added four actively exploited Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies until April 27 to apply patches.
- The flaws span from a recently disclosed 2025 Windows link‑following bug to a VBA library‑loading issue first patched in 2012, showing that old weaknesses remain useful to attackers.
- At least one of the Microsoft bugs (CVE‑2023‑21529) is being used by the financially motivated group Storm‑1175 to deploy Medusa ransomware after gaining initial access via Exchange Server.
- CISA also flagged two Adobe vulnerabilities (CVE‑2020‑9715 and CVE‑2026‑34621) as exploited, underscoring a broad patching priority across major software vendors.
- Although ransomware linkage is listed as “unknown” for three of the Microsoft CVEs, the agency warns that all pose significant risk to federal networks and should be remediated promptly.
Overview of CISA’s KEV Update
On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) placed four Microsoft security flaws into its Known Exploited Vulnerabilities (KEV) catalog, a list that tracks weaknesses actively being abused in the wild. By adding these CVEs, CISA issued a binding directive for all federal agencies to apply the corresponding patches within two weeks, setting a hard deadline of April 27. The agency emphasized that these vulnerabilities constitute frequent attack vectors for malicious cyber actors and present substantial risks to the federal enterprise. The move is part of CISA’s ongoing effort to shrink the attack surface of government networks by compelling timely remediation of known threats.
CVE‑2025‑60710: Recent Windows Link‑Following Flaw
The first vulnerability, CVE‑2025‑60710, is a link‑following flaw in the Windows operating system that enables local privilege escalation. Microsoft initially disclosed the bug in November 2025 and released a complete fix a month later, in December 2025. Although the patch is relatively fresh, CISA’s inclusion indicates that threat actors have already begun exploiting it in the wild, likely to elevate privileges on compromised workstations or servers before moving laterally. The short window between disclosure and exploitation underscores the importance of rapid patch deployment, especially for operating‑system components that affect a broad base of Windows users.
CVE‑2023‑36424: Common Log File System Driver Issue
CVE‑2023-36424 resides in the Windows Common Log File System (CLFS) driver and likewise permits privilege escalation. Microsoft addressed this flaw in its November 2023 Patch Tuesday release. Despite being over a year old, the vulnerability remains valuable to attackers seeking to gain higher‑level access on systems where the CLFS driver is present—typically most Windows installations. Its continued exploitation suggests that some organizations have lagged in applying the 2023 updates, leaving a window for privilege‑escalation attacks that can facilitate credential theft or further malware installation.
CVE‑2023‑21529: Exchange Server Deserialization and Ransomware Tie
The third flaw, CVE‑2023-21529, is a deserialization of untrusted data vulnerability in Microsoft Exchange Server that allows an authenticated attacker to achieve remote code execution (RCE). Microsoft disclosed and patched the issue in February 2023. Notably, last week Microsoft’s threat‑intelligence team warned that the financially motivated cybercrime group Storm‑1175 is actively exploiting this Exchange bug—alongside fifteen other vulnerabilities—to infiltrate organizations, exfiltrate data, and ultimately deploy Medusa ransomware in extortion campaigns. The direct link to ransomware makes this CVE a high‑priority target for patching, as compromise can quickly evolve from data theft to disruptive encryption attacks.
CVE‑2012‑1854: Decade‑Old VBA Library‑Loading Weakness
The oldest vulnerability in the batch, CVE-2012-1854, is an insecure library loading flaw in Microsoft Visual Basic for Applications (VBA). Microsoft issued a security update in July 2012 and a follow‑up patch in November 2012 that fully resolved the issue, noting at the time that it was aware of “limited, targeted attempts” to exploit the flaw. Despite being more than fourteen years old, the vulnerability continues to appear in active attacks, illustrating how legacy code components can remain attractive to adversaries when organizations fail to maintain comprehensive patch cycles across all software layers, including older office automation tools.
Federal Patching Deadline and CISA’s Warning
CISA’s announcement set an April 27 deadline for all federal agencies to apply patches for the four Microsoft KEV entries, reflecting the urgency conveyed in the agency’s warning: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” The directive compels agencies to prioritize these fixes within their routine vulnerability‑management workflows, leveraging tools such as Windows Update, Microsoft Endpoint Configuration Manager, or third‑party patch‑management platforms. Compliance will be measured through CISA’s continuous diagnostics and mitigation (CDM) reporting, and agencies that miss the deadline may face heightened scrutiny or additional remedial actions.
Adobe Vulnerabilities Added alongside Microsoft Flaws
In the same KEV update, CISA also added two Adobe vulnerabilities: CVE-2020-9715, a use‑after‑free flaw in Adobe Acrobat that permits arbitrary code execution, and CVE-2026-34621, a prototype pollution bug affecting both Adobe Acrobat and Reader. The latter had been exploited as a zero‑day for several months before Adobe released a patch over the weekend. By grouping these Adobe issues with the Microsoft KEV entries, CISA highlights a broader patching imperative across major productivity and document‑handling platforms, reminding federal agencies that threats often traverse multiple software ecosystems.
Conclusion and Ongoing Vigilance
The addition of these six vulnerabilities to the KEV catalog serves as a stark reminder that cyber threats exploit both freshly disclosed and long‑standing weaknesses. While Microsoft has supplied patches for all four CVEs, the persistence of attacks—particularly the use of CVE‑2023-21529 by Storm‑1175 for Medusa ransomware—demonstrates that timely deployment remains critical. Federal agencies must now accelerate their patching cycles, verify completion before the April 27 deadline, and maintain continuous monitoring for any signs of exploitation. Meanwhile, CISA’s request for further details from Microsoft signals an ongoing effort to understand the full scope of these intrusions and to refine guidance for defenders across both government and private sectors. The overarching lesson is clear: proactive vulnerability management, grounded in timely patching and robust threat intelligence, is essential to defend against evolving ransomware and privilege‑escalation campaigns.