What Microsoft vulnerabilities did CISA report as actively exploited on April 13, 2026?

CISA reported four Microsoft vulnerabilities being actively exploited: CVE-2025-60710 (a privilege escalation in the Host Process for Windows Tasks), CVE-2023-36424 (an elevation of privilege in the Windows Common Log File System Driver), CVE-2023-21529 (a remote code execution flaw in Microsoft Exchange Server), and CVE-2012-1854 (an insecure library loading vulnerability in Microsoft Visual Basic for Applications).

What is CVE-2023-21529 and how is it being used in ransomware attacks?

CVE-2023-21529 is a remote code execution vulnerability (CVSS 8.8) in Microsoft Exchange Server 2013, 2016, and 2019, caused by deserialization of untrusted data. Microsoft's threat intelligence team reported that a financially motivated group tracked as Storm-1175 is exploiting this flaw alongside 15 other vulnerabilities to gain initial network access before deploying Medusa ransomware in extortion attacks.

Why is CVE-2012-1854 still a threat nearly 14 years after being patched?

CVE-2012-1854 is an insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) with a CVSS score of 9.3. Despite being patched in July 2012 with a follow-up in November 2012, it continues to surface in active attack campaigns. This demonstrates that legacy flaws can remain viable weapons for threat actors long after patches become available, particularly in environments where updates have not been applied.

What is the remediation deadline for federal agencies regarding these vulnerabilities?

Under Binding Operational Directive 22-01, federal agencies are required to remediate all four vulnerabilities by April 27, 2026. All organizations are strongly urged to review their exposure and apply available patches immediately.

What is CVE-2025-60710 and how does it enable privilege escalation?

CVE-2025-60710 (CVSS 7.8) is a link-following vulnerability in the Host Process for Windows Tasks. It involves improper resolution of symbolic or NTFS reparse points, allowing an authorized local attacker to elevate privileges to SYSTEM-level control. Microsoft disclosed the bug in November 2025 and patched it in December 2025.

Advisory

CISA Reports Active Exploitation of Four Microsoft Vulnerabilities, Including a 14-Year-Old Flaw

published: April 13, 2026

Take action: Most of these flaws are old. So if you haven't patched your systems for over a year - let alone 14 years, it's high time to do it today. Because hackers don't care how old a vulnerability is. It's still usable. If you're still running Exchange Server 2013, 2016, or 2019 on-premises, prioritize patching or migrating those immediately.

Learn More

On April 13, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports four Microsoft vulnerabilities being actively exploited in the wild The flaws span over a decade of security bulletins, with one originally patched nearly 14 years ago still turning up in active attacks today.

Vulnerabilities summary

CVE-2025-60710 (CVSS score 7.8) - A link-following vulnerability in the Host Process for Windows Tasks that allows an authorized local attacker to elevate privileges. Microsoft first disclosed this bug in November 2025 and patched it a month later in December 2025. The flaw is associated with improper resolution of symbolic or NTFS reparse points, enabling attackers with a local foothold to gain SYSTEM-level control.
CVE-2023-36424 (CVSS score 7.8) - An elevation of privilege vulnerability in the Windows Common Log File System Driver. Microsoft patched this flaw in November 2023. Exploitation requires no user interaction and can achieve full system-level impact, making it a reliable escalation target once attackers gain initial access.
CVE-2023-21529 (CVSS score 8.8) - A remote code execution vulnerability in Microsoft Exchange Server caused by deserialization of untrusted data. Microsoft disclosed and patched this issue in February 2023. Affected versions include Exchange Server 2013, 2016, and 2019. Microsoft's threat intelligence team recently reported that a financially motivated group tracked as Storm-1175 is exploiting this Exchange flaw alongside 15 other vulnerabilities to gain initial network access before deploying Medusa ransomware in extortion attacks.
CVE-2012-1854 (CVSS score 9.3) - An insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) that could allow for remote code execution. Microsoft originally patched this flaw in July 2012 and issued a follow-up update in November 2012. Despite being nearly 14 years old, this vulnerability continues to surface in active attack campaigns, proving that legacy flaws can remain viable weapons for threat actors long after patches become available.

CISA lists the ransomware exploitation status for all four vulnerabilities as "unknown," although Microsoft's own threat intelligence indicates that at least CVE-2023-21529 is being used by the Storm-1175 group in campaigns that culminate in Medusa ransomware deployment.

Organizations are strongly urged to review their exposure to all four CVEs and apply available patches immediately. Under Binding Operational Directive 22-01, federal agencies are required to remediate these vulnerabilities by April 27, 2026

CISA Reports Active Exploitation of Four Microsoft Vulnerabilities, Including a 14-Year-Old Flaw

Read More
Hacker crime groups actively targeting 9 months old …
Google releases update for Chrome
Apple releases emergency update for actively exploited Apple …
Adobe releases April 2025 patches for multiple products
Steam game mod "Downfall" breached, pushed password-stealing malware