The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urgently expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding six zero-day vulnerabilities, all affecting Microsoft products.
This move underscores escalating threats from nation-state actors and cybercriminals actively exploiting these flaws in the wild. Federal Civilian Executive Branch (FCEB) agencies must now patch by CISA’s specified due dates under Binding Operational Directive (BOD) 22-01, while CISA urges all organizations to prioritize remediation to mitigate widespread risks.
The KEV Catalog, established by BOD 22-01 in 2022, serves as a prioritized list of CVEs that pose a “significant risk” to federal networks. Evidence of active exploitation gathered from vendor reports, threat intelligence, and incident response trigger additions.
These six entries highlight persistent vulnerabilities in the Microsoft ecosystem as prime attack vectors for ransomware, espionage, and lateral movement.
Six Microsoft 0-Day Vulnerabilities
CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure
Affects Windows Shell, allowing unauthorized attackers to bypass security features over a network. CVSS score pending, but exploitation enables remote code execution (RCE) via crafted files or network payloads. Attackers chain this with social engineering for initial access.
CVE-2026-21513: Microsoft MSHTML Framework
MSHTML engine flaw permits security feature bypass remotely. Despite IE’s deprecation, legacy integrations in Edge and Office expose users. Exploits involve malicious web content triggering memory corruption, observed in phishing campaigns targeting enterprises.
CVE-2026-21514: Microsoft Office Word Reliance on Untrusted Inputs
Word’s parsing mishandles untrusted inputs, leading to privilege escalation locally. Attackers deliver via malicious .docx files, evading Protected View. This has fueled document-based malware droppers in recent APT operations.
CVE-2026-21519: Microsoft Windows Type Confusion
Desktop Window Manager (DWM) type confusion vulnerability enables local privilege escalation. Authorized users (e.g., low-priv accounts) can exploit for SYSTEM-level access, common in post-exploitation chains after initial footholds.
CVE-2026-21525: Microsoft Windows NULL Pointer Dereference
Remote Access Connection Manager suffers a NULL pointer dereference, causing local denial-of-service (DoS). While not RCE, it disrupts VPN/remote access, aiding DoS-for-ransom or distraction during larger attacks.
CVE-2026-21533: Windows Remote Desktop Services
A flaw in RDS allows local privilege escalation via improper handling. Critical for remote work environments, exploits grant attackers admin rights on compromised endpoints, facilitating persistence and lateral movement.
Microsoft has released patches in its February 2026 Patch Tuesday, confirming public exploit evidence. Full details are available at CISA’s KEV Catalog and CVE records.
These zero-days reflect a trend: 80% of 2025 KEV additions targeted Microsoft, per CISA data. Malicious actors, including Chinese state-sponsored groups like Salt Typhoon, exploit them for supply-chain compromises and data exfiltration. Unpatched systems risk automated scanning by tools like Shodan, amplifying breach velocity.
BOD 22-01 mandates FCEB remediation within weeks; non-compliance risks audits. Private sectors should integrate KEV into vulnerability management tools.
Immediate Actions: Apply Microsoft patches via WSUS or Intune. Enable auto-updates.
Detection: Hunt for IOCs using EDR (e.g., Defender indicators from MSRC). YARA rules for exploit patterns are emerging on GitHub.
Mitigations: Enforce AppLocker, disable RDS if unused, audit Office macros. Segment networks per Zero Trust.
Long-Term: Shift to endpoint detection response (EDR) with behavioral analytics; conduct red-team exercises simulating KEV chains.
CISA’s catalog now exceeds 1,200 entries and is updated weekly. Organizations ignoring it face heightened exposure to recent breaches like the 2025 Change Healthcare hack, which stemmed from unpatched KEVs.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CISA Adds Six Microsoft 0-Day Vulnerabilities to KEV Catalog Following Active Exploitation appeared first on Cyber Security News.
