CISA Adds Actively Exploited Microsoft Zero-Days to KEV Catalog
CISA added six Microsoft zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation in the wild, triggering mandatory remediation timelines for U.S. Federal Civilian Executive Branch agencies under BOD 22-01 and prompting broader patch prioritization across enterprises. The vulnerabilities span multiple Microsoft components, including MSHTML and Microsoft Word, and are positioned as high-risk initial access and post-exploitation enablers commonly leveraged in phishing-driven intrusion chains and follow-on activity such as lateral movement and ransomware operations.
Microsoft’s Security Update Guide entries provide technical details for several of the KEV-listed issues, including CVE-2026-21513 (MSHTML Framework Security Feature Bypass, CVSS 8.8, AV:N/AC:L/PR:N/UI:R) and CVE-2026-21514 (Microsoft Word Security Feature Bypass, CVSS 7.8, AV:L/AC:L/PR:N/UI:R), both consistent with document/web-content delivery scenarios. Separately, Microsoft also patched CVE-2026-21525 (Windows Remote Access Connection Manager / RasMan Denial of Service, CVSS 6.2, AV:L/AC:L/PR:N/UI:N), described as a NULL pointer dereference that can be triggered by a local, unauthenticated attacker to crash RasMan and disrupt remote connectivity; reporting indicates exploitation was detected prior to disclosure and fixes were shipped via Patch Tuesday updates for multiple Windows and Windows Server versions.
Sources
3 more from sources like msrc.microsoft.com
Related Stories
Actively Exploited Microsoft MSHTML Framework Zero-Day (CVE-2026-21513)
Microsoft issued an urgent fix for an actively exploited **MSHTML (Trident) security feature bypass** tracked as **CVE-2026-21513** (CVSS **8.8**), which allows attackers to circumvent Windows security prompts and protections without requiring elevated privileges. Reported exploitation relies on **social engineering** to get a user to open specially crafted content—such as malicious HTML or shortcut (`.lnk`) files—delivered via email attachments, links, or downloads; the weakness is described as a **protection mechanism failure** (CWE-693) in how Windows Shell and MSHTML handle embedded content and validation. CISA added **CVE-2026-21513** to the **Known Exploited Vulnerabilities (KEV)** catalog with required action to apply vendor mitigations/patches per Microsoft guidance and a remediation due date of **2026-03-03**, reinforcing that exploitation is occurring and prioritization is warranted. Separate reporting also described other Microsoft zero-days patched in the same timeframe—**Microsoft Word OLE mitigation bypass** (**CVE-2026-21514**) and a **Windows Desktop Window Manager (dwm.exe) privilege escalation** (**CVE-2026-21519**)—but those are distinct vulnerabilities and not part of the MSHTML-specific KEV entry.
1 months ago
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
1 months ago
CISA Adds Windows Desktop Window Manager Information Disclosure (CVE-2026-20805) to KEV After Active Exploitation
**CISA added Microsoft Windows Desktop Window Manager (DWM) vulnerability `CVE-2026-20805` to the Known Exploited Vulnerabilities (KEV) Catalog** after confirming it is being exploited in the wild, triggering mandatory remediation requirements for U.S. federal civilian agencies under *BOD 22-01*. Agencies were directed to apply patches by **February 3**. The flaw is described as an **information disclosure** issue in DWM that leaks small pieces of memory data (including a user-mode memory address associated with a remote ALPC port), and exploitation requires **local access** to the targeted system. Although the bug does not directly provide code execution, reporting notes it can materially weaken system defenses by enabling attackers to **undermine Address Space Layout Randomization (ASLR)** and improve the reliability of follow-on exploitation when chained with a separate execution vulnerability. Microsoft released the fix as part of the first Patch Tuesday of 2026 (roughly **112–114 CVEs** depending on whether Chromium-related fixes are included), but **did not disclose details** about the in-the-wild exploitation or any additional components involved in observed exploit chains, limiting defenders’ ability to proactively hunt for related activity.
2 months ago