The U.S. Cybersecurity and Discretionary Security Agency (CISA) added four Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Monday, ordering federal agencies to apply patches by April 27.
The list includes flaws ranging from recent exploits to a bug that Microsoft patched in 2012. CISA warned that these vulnerabilities serve as frequent attack vectors for malicious actors and pose significant risks to federal enterprises.
One of the vulnerabilities, CVE-2023-21529, involves a deserialization issue in Microsoft Exchange Server. Microsoft threat hunters recently warned that the criminal group Storm-1175 uses this bug to gain initial access to organizations for data theft and Medusa ransomware deployment.
Legacy flaws resurface in active attacks
Perhaps most striking is CVE-2012-1854, an insecure library loading vulnerability in Microsoft Visual Basic for Applications. Although Microsoft released a full patch for this flaw in November 2012, it is now being utilized in active attacks.
Other vulnerabilities added to the KEV catalog include CVE-2025-60710, a Windows link-following bug that allows privilege escalation, and CVE-2023-36424, a flaw in the Windows Common Log File System Driver.
While CISA lists the specific use of ransomware for all four bugs as unknown, the agency confirmed the Exchange Server flaw is linked to ransomware activity. Microsoft has already patched the more recent vulnerabilities, but the agency's mandate aims to close the window for attackers targeting unpatched federal systems.
CISA also updated its catalog on Monday with two Adobe vulnerabilities. These include a use-after-free bug in Acrobat (CVE-2020-9715) and a prototype pollution flaw (CVE-2026-34621) that affected both Acrobat and Reader after months of zero-day exploitation.
