CISA Adds Windows Desktop Window Manager Information Disclosure (CVE-2026-20805) to KEV After Active Exploitation
CISA added Microsoft Windows Desktop Window Manager (DWM) vulnerability CVE-2026-20805 to the Known Exploited Vulnerabilities (KEV) Catalog after confirming it is being exploited in the wild, triggering mandatory remediation requirements for U.S. federal civilian agencies under BOD 22-01. Agencies were directed to apply patches by February 3. The flaw is described as an information disclosure issue in DWM that leaks small pieces of memory data (including a user-mode memory address associated with a remote ALPC port), and exploitation requires local access to the targeted system.
Although the bug does not directly provide code execution, reporting notes it can materially weaken system defenses by enabling attackers to undermine Address Space Layout Randomization (ASLR) and improve the reliability of follow-on exploitation when chained with a separate execution vulnerability. Microsoft released the fix as part of the first Patch Tuesday of 2026 (roughly 112–114 CVEs depending on whether Chromium-related fixes are included), but did not disclose details about the in-the-wild exploitation or any additional components involved in observed exploit chains, limiting defenders’ ability to proactively hunt for related activity.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Federal agencies ordered to remediate CVE-2026-20805 by February 3
Under Binding Operational Directive 22-01, CISA required U.S. federal civilian executive branch agencies to patch or mitigate CVE-2026-20805 by the listed due date. The remediation deadline set by CISA was February 3, 2026.
CISA adds CVE-2026-20805 to the KEV catalog
CISA added CVE-2026-20805 to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The agency did not provide public details about the observed attacks or the full exploit chain.
Microsoft discloses CVE-2026-20805 in January 2026 Patch Tuesday
Microsoft disclosed CVE-2026-20805, an information disclosure vulnerability in the Windows Desktop Window Manager, as part of its first Patch Tuesday release of 2026. Researchers said the bug could leak memory information useful for bypassing mitigations and supporting a larger exploit chain.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Federal agencies ordered to patch Microsoft Desktop Windows Manager bug | The Record from Recorded Future News
therecord.media
Open sourceU.S. CISA adds a flaw in Microsoft Windows to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Actively Exploited Microsoft Zero-Days to KEV Catalog
CISA added **six Microsoft zero-day vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** after evidence of **active exploitation in the wild**, triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch agencies under **BOD 22-01** and prompting broader patch prioritization across enterprises. The vulnerabilities span multiple Microsoft components, including **MSHTML** and **Microsoft Word**, and are positioned as high-risk initial access and post-exploitation enablers commonly leveraged in phishing-driven intrusion chains and follow-on activity such as lateral movement and ransomware operations. Microsoft’s Security Update Guide entries provide technical details for several of the KEV-listed issues, including **CVE-2026-21513** (*MSHTML Framework Security Feature Bypass*, CVSS 8.8, `AV:N/AC:L/PR:N/UI:R`) and **CVE-2026-21514** (*Microsoft Word Security Feature Bypass*, CVSS 7.8, `AV:L/AC:L/PR:N/UI:R`), both consistent with document/web-content delivery scenarios. Separately, Microsoft also patched **CVE-2026-21525** (*Windows Remote Access Connection Manager / RasMan Denial of Service*, CVSS 6.2, `AV:L/AC:L/PR:N/UI:N`), described as a **NULL pointer dereference** that can be triggered by a local, unauthenticated attacker to crash RasMan and disrupt remote connectivity; reporting indicates exploitation was detected prior to disclosure and fixes were shipped via Patch Tuesday updates for multiple Windows and Windows Server versions.
Mar 21, 2026
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
Mar 21, 2026
CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding six new vulnerabilities that are currently being exploited in the wild. This update includes five vulnerabilities announced on October 14, 2025, and one additional vulnerability added on October 15, 2025. The vulnerabilities affect a range of widely used products, including Microsoft Windows, Rapid7 Velociraptor, SKYSEA Client View, IGEL OS, and Adobe Experience Manager. Among the most critical is CVE-2025-24990, an elevation of privilege flaw in the Agere Modem driver bundled with all Windows releases, which allows local attackers to gain SYSTEM-level access through untrusted pointer dereference. Microsoft addressed this issue by removing the vulnerable driver in the October 2025 Patch Tuesday update, though this may impact dependent hardware. Another significant vulnerability is CVE-2025-54253, a code execution flaw in Adobe Experience Manager Forms, which has been confirmed as actively exploited and poses a substantial risk to federal and enterprise environments. The Rapid7 Velociraptor vulnerability (CVE-2025-6264) involves incorrect default permissions, potentially allowing unauthorized access or privilege escalation. SKYSEA Client View is affected by an improper authentication vulnerability (CVE-2016-7836), while IGEL OS faces a risk from the use of expired cryptographic keys (CVE-2025-47827). Additionally, Microsoft Windows is impacted by an improper access control vulnerability (CVE-2025-59230). CISA’s KEV Catalog serves as a critical resource for tracking vulnerabilities that are confirmed to be exploited in real-world attacks, and federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines. CISA strongly encourages all organizations, not just federal agencies, to prioritize patching these vulnerabilities to reduce exposure to active cyber threats. The addition of these vulnerabilities underscores the ongoing risk posed by unpatched systems and the importance of timely remediation. CISA’s public alerts emphasize that these vulnerabilities are not theoretical and are being leveraged by malicious actors in current attack campaigns. The agency’s updates are based on evidence of active exploitation, highlighting the need for immediate action by security teams. Organizations are advised to consult the KEV Catalog regularly and integrate its findings into their vulnerability management processes. The removal of the Agere Modem driver by Microsoft demonstrates a decisive response to mitigate risk, though it may have operational impacts for some users. The inclusion of vulnerabilities across diverse platforms indicates that attackers are targeting a broad range of technologies. CISA’s ongoing updates to the KEV Catalog reflect its commitment to providing actionable intelligence to protect both federal and private sector networks. The agency’s guidance is clear: prompt remediation of known exploited vulnerabilities is essential to defend against active threats.
Mar 21, 2026