CISA Adds Six Microsoft 0-Day Vulnerabilities to KEV Catalog Following Active Exploitation - CyberSecurityNews

HomeCyber Security CISA Adds Six Microsoft 0-Day Vulnerabilities to KEV Catalog Following Active Exploitation By Guru Baran February 11, 2026 Microsoft 0-Day Vulnerabilities The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urgently expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding six zero-day vulnerabilities, all affecting Microsoft products. This move underscores escalating threats from nation-state actors and cybercriminals actively exploiting these flaws in the wild. Federal Civilian Executive Branch (FCEB) agencies must now patch by CISA’s specified due dates under Binding Operational Directive (BOD) 22-01, while CISA urges all organizations to prioritize remediation to mitigate widespread risks. The KEV Catalog, established by BOD 22-01 in 2022, serves as a prioritized list of CVEs that pose a “significant risk” to federal networks. Evidence of active exploitation gathered from vendor reports, threat intelligence, and incident response trigger additions. These six entries highlight persistent vulnerabilities in the Microsoft ecosystem as prime attack vectors for ransomware, espionage, and lateral movement. Six Microsoft 0-Day Vulnerabilities CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure Affects Windows Shell, allowing unauthorized attackers to bypass security features over a network. CVSS score pending, but exploitation enables remote code execution (RCE) via crafted files or network payloads. Attackers chain this with social engineering for initial access. CVE-2026-21513: Microsoft MSHTML Framework MSHTML engine flaw permits security feature bypass remotely. Despite IE’s deprecation, legacy integrations in Edge and Office expose users. Exploits involve malicious web content triggering memory corruption, observed in phishing campaigns targeting enterprises. CVE-2026-21514: Microsoft Office Word Reliance on Untrusted Inputs Word’s parsing mishandles untrusted inputs, leading to privilege escalation locally. Attackers deliver via malicious .docx files, evading Protected View. This has fueled document-based malware droppers in recent APT operations. CVE-2026-21519: Microsoft Windows Type Confusion Desktop Window Manager (DWM) type confusion vulnerability enables local privilege escalation. Authorized users (e.g., low-priv accounts) can exploit for SYSTEM-level access, common in post-exploitation chains after initial footholds. CVE-2026-21525: Microsoft Windows NULL Pointer Dereference Remote Access Connection Manager suffers a NULL pointer dereference, causing local denial-of-service (DoS). While not RCE, it disrupts VPN/remote access, aiding DoS-for-ransom or distraction during larger attacks. CVE-2026-21533: Windows Remote Desktop Services A flaw in RDS allows local privilege escalation via improper handling. Critical for remote work environments, exploits grant attackers admin rights on compromised endpoints, facilitating persistence and lateral movement. Microsoft has released patches in its February 2026 Patch Tuesday, confirming public exploit evidence. Full details are available at CISA’s KEV Catalog and CVE records. These zero-days reflect a trend: 80% of 2025 KEV additions targeted Microsoft, per CISA data. Malicious actors, including Chinese state-sponsored groups like Salt Typhoon, exploit them for supply-chain compromises and data exfiltration. Unpatched systems risk automated scanning by tools like Shodan, amplifying breach velocity. BOD 22-01 mandates FCEB remediation within weeks; non-compliance risks audits. Private sectors should integrate KEV into vulnerability management tools. Immediate Actions: Apply Microsoft patches via WSUS or Intune. Enable auto-updates. Detection: Hunt for IOCs using EDR (e.g., Defender indicators from MSRC). YARA rules for exploit patterns are emerging on GitHub. Mitigations: Enforce AppLocker, disable RDS if unused, audit Office macros. Segment networks per Zero Trust. Long-Term: Shift to endpoint detection response (EDR) with behavioral analytics; conduct red-team exercises simulating KEV chains. CISA’s catalog now exceeds 1,200 entries and is updated weekly. Organizations ignoring it face heightened exposure to recent breaches like the 2025 Change Healthcare hack, which stemmed from unpatched KEVs. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran is the Co-Founder and Editor-in-Chief of CyberSecurityNews.com, specializing in vulnerability analysis, malware research, ransomware, and computer forensics. Trending News Hackers Abuse Compromised Routers to Hide China-Linked Cyber Operations iTerm2 Flaw Abuses SSH Integration Escape Sequences to Turn Text Into Code Execution Microsoft Teams Rolls Out Efficiency Mode to Optimize Performance on Low-End Devices Microsoft Teams Desktop Client Faces Launch Failures After Update Triggers Caching Regression New Windows 11 Dev Build Improves Secure Boot Monitoring and Storage Controls Latest News Cyber Security Litecoin Zero-Day Vulnerability Exploited in DoS Attack, Disrupts Major Mining Pools Cyber Security New Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions Cyber Security News CISA Warns of Multiple SimpleHelp Vulnerabilities Exploited in Attack Cyber Security News Claude AI Agents Close 186 Deals in Anthropic’s Marketplace Experiment Bug Bounty GPT‑5.5 Bio Bug Bounty to Strengthen Advanced AI Capabilities