CISA warns federal agencies to patch four Microsoft vulnerabilities, including one from 2012, as ransomware groups actively exploit these legacy flaws to gain system access.
Four Microsoft vulnerabilities, including a bug first patched in 2012, are being actively exploited by ransomware crews and other cybercriminals, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive to federal agencies.
The Four Vulnerabilities in Focus
The vulnerabilities added to CISA's Known Exploited Vulnerabilities (KEV) catalog on April 13, 2026, represent a concerning mix of both recent and legacy flaws:
CVE-2025-60710 - A link-following vulnerability in Windows that allows privilege escalation. Microsoft initially disclosed this bug in November 2025 and fully fixed it a month later.
CVE-2023-36424 - A Windows Common Log File System Driver flaw that also enables privilege escalation. This was patched by Microsoft in November 2023.
CVE-2023-21529 - A deserialization of untrusted data issue in Microsoft Exchange Server that allows authenticated attackers to achieve remote code execution (RCE). Microsoft disclosed and patched this bug in February 2023.
CVE-2012-1854 - An insecure library loading vulnerability in Microsoft Visual Basic for Applications that allows RCE. This bug was first patched in July 2012, with a second update in November 2012 that fully addressed the flaw.
The 14-Year-Old Vulnerability Still Haunting Systems
The inclusion of CVE-2012-1854 is particularly alarming. When Microsoft first addressed this vulnerability in 2012, the company acknowledged it was "aware of limited, targeted attacks attempting to exploit the vulnerability." Now, nearly 14 years later, this same flaw is still being weaponized in active attacks.
This persistence highlights a critical challenge in cybersecurity: legacy vulnerabilities don't simply disappear once patched. They continue to haunt organizations that fail to maintain proper patch management practices, creating long-term attack surfaces that sophisticated threat actors can exploit.
Ransomware Groups Actively Exploiting Exchange Flaw
Perhaps most concerning is the exploitation of CVE-2023-21529 by the financially motivated crime crew tracked as Storm-1175. According to Microsoft's threat hunters, this group is using this Exchange vulnerability, along with 15 others, to gain initial access to organizations.
Once inside, Storm-1175 follows a predictable pattern: stealing data and deploying Medusa ransomware in extortion attacks. This represents a textbook example of how unpatched vulnerabilities serve as entry points for ransomware operations that can cripple organizations and extort millions in ransom payments.
CISA's Emergency Response
In response to these active exploitation campaigns, CISA has given federal agencies until April 27, 2026 - just two weeks from the announcement - to apply patches for all four vulnerabilities.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned in its directive.
The agency's decision to add these vulnerabilities to the KEV catalog underscores their severity and the immediate threat they pose to government systems.
Adobe Vulnerabilities Also Added to KEV
In the same announcement, CISA added two Adobe bugs to the KEV catalog:
CVE-2020-9715 - A use-after-free vulnerability in Acrobat.
CVE-2026-34621 - A prototype pollution flaw affecting both Adobe Acrobat and Reader. This vulnerability had been exploited as a zero-day for months before Adobe finally released a patch over the weekend.
The Broader Implications
These incidents highlight several critical issues in modern cybersecurity:
Patch Management Challenges - The fact that a 14-year-old vulnerability is still being exploited demonstrates the ongoing struggle many organizations face in maintaining current systems. Legacy systems, complex IT environments, and resource constraints often lead to delayed patching, creating opportunities for attackers.
Ransomware Evolution - The exploitation of these vulnerabilities by groups like Storm-1175 shows how ransomware operations have evolved beyond simple encryption. Modern ransomware crews use sophisticated techniques to gain initial access, move laterally through networks, and maximize their leverage through data theft before deploying their encryption payloads.
Supply Chain and Legacy Code Risks - The persistence of old vulnerabilities in widely used software like Microsoft Visual Basic for Applications raises questions about how legacy code continues to create security risks years after its initial development.
Government Response Times - CISA's two-week deadline for federal agencies represents a significant acceleration in government response times to active threats, reflecting the urgency of addressing these vulnerabilities before they can be widely exploited.
What Organizations Should Do
For organizations outside the federal government, these developments serve as a critical reminder to:
- Review and apply all available patches for Microsoft Windows, Exchange Server, and Adobe products
- Implement robust patch management processes that prioritize critical vulnerabilities
- Monitor for indicators of compromise related to these CVEs
- Consider the risks posed by legacy systems and plan for their modernization
- Maintain comprehensive logging and monitoring to detect early signs of exploitation
As ransomware groups continue to evolve their tactics and exploit both new and legacy vulnerabilities, the importance of proactive security measures cannot be overstated. The 14-year journey of CVE-2012-1854 from initial discovery to continued exploitation serves as a sobering reminder that in cybersecurity, yesterday's problems can quickly become today's crises.
Comments
Please log in or register to join the discussion