The Cybersecurity and Infrastructure Security Agency (CISA) has reported that four Microsoft vulnerabilities are currently being exploited by cybercriminals, including one that has been known for nearly 14 years. This announcement comes with a directive for federal agencies to apply patches within two weeks.
Identified Vulnerabilities
The vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog include:
- CVE-2025-60710: A link-following vulnerability in Windows that allows for privilege escalation. This issue was initially disclosed in November 2025 and was fully patched in December 2025.
- CVE-2023-36424: A flaw in the Windows Common Log File System Driver that also allows privilege escalation, patched in November 2023.
- CVE-2023-21529: A deserialization of untrusted data issue in Microsoft Exchange Server, enabling authenticated attackers to achieve remote code execution (RCE). This vulnerability was disclosed and patched in February 2023.
- CVE-2012-1854: An insecure library loading vulnerability in Microsoft Visual Basic for Applications that permits RCE. Microsoft issued a security fix in July 2012, followed by a complete patch in November 2012.
Current Exploitation and Threat Landscape
According to Microsoft, the financially motivated group known as Storm-1175 is exploiting the Exchange Server vulnerability (CVE-2023-21529) along with 15 other vulnerabilities to gain initial access to organizations. This group is reportedly involved in data theft and deploying Medusa ransomware as part of their extortion tactics.
CISA has classified the ransomware use for all four vulnerabilities as “unknown,” although Microsoft has confirmed that at least one of them has been utilized in such attacks.
Urgent Patch Deadline
CISA has emphasized that these vulnerabilities represent frequent attack vectors for malicious actors and pose significant risks to federal enterprises. Agencies have been given a deadline of April 27 to apply the necessary patches to mitigate these risks.
Additional Vulnerabilities Listed
In addition to the Microsoft vulnerabilities, CISA also added two Adobe vulnerabilities to the KEV catalog. These include a use-after-free vulnerability in Acrobat, tracked as CVE-2020-9715, and a prototype pollution flaw affecting both Adobe Acrobat and Reader, tracked as CVE-2026-34621. The latter had been exploited as a zero-day for several months before Adobe released a patch over the weekend.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
