Full Report
One was patched almost 14 years ago Crooks are exploiting four Microsoft vulnerabilities - one patched 14 years ago and another tied to ransomware activity - according to America's lead cyber-defense agency, which on Monday gave federal agencies two weeks to patch them.…
Analysis Summary
Based on the provided article, here is the summary of the four Microsoft vulnerabilities recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
---
# Vulnerability: Multi-Year Microsoft Zero-Day and Legacy Flaws
## CVE Details
* **CVE ID:** CVE-2025-60710, CVE-2023-36424, CVE-2023-21529, CVE-2012-1854
* **CVSS Score:** Not explicitly provided in text (Estimated High to Critical based on RCE/LPE impacts)
* **CWE:**
* CWE-59 (Link Following)
* CWE-502 (Deserialization of Untrusted Data)
* CWE-427 (Uncontrolled Search Path Element/Insecure Library Loading)
## Affected Systems
* **Products:** Microsoft Windows, Windows Common Log File System (CLFS) Driver, Microsoft Exchange Server, Microsoft Visual Basic for Applications (VBA).
* **Versions:**
* Windows (General versions)
* Exchange Server (Authenticated instances)
* VBA (Legacy and current versions utilizing specific library loading)
* **Configurations:** Web-facing assets (Exchange); Systems where local users can execute code (Privilege Escalation bugs).
## Vulnerability Description
1. **CVE-2025-60710:** A link-following flaw in Windows that allows an attacker to escalate privileges to a higher level.
2. **CVE-2023-36424:** A flaw within the Windows Common Log File System (CLFS) Driver allowing for Local Privilege Escalation (LPE).
3. **CVE-2023-21529:** A deserialization flaw in Microsoft Exchange Server. It allows an authenticated user to execute arbitrary code remotely (RCE).
4. **CVE-2012-1854:** An insecure library loading vulnerability in Microsoft VBA. It allows for Remote Code Execution if a victim is induced to open a specially crafted file.
## Exploitation
* **Status:** Exploited in the wild (All four are listed in CISA KEV).
* *Note:* CVE-2023-21529 is actively used by **Storm-1175** to deploy **Medusa Ransomware**.
* *Note:* CVE-2012-1854 has seen active exploitation for nearly 14 years.
* **Complexity:** Low to Medium.
* **Attack Vector:**
* **Network:** CVE-2023-21529 (Exchange), CVE-2012-1854 (via File).
* **Local:** CVE-2025-60710, CVE-2023-36424 (Privilege Escalation).
## Impact
* **Confidentiality:** High (Full data access via RCE/Ransomware).
* **Integrity:** High (Unauthorized system modifications).
* **Availability:** High (System encryption via Medusa Ransomware).
## Remediation
### Patches
* **CVE-2025-60710:** Patched by Microsoft in December 2025.
* **CVE-2023-36424:** Patched in November 2023.
* **CVE-2023-21529:** Patched in February 2023.
* **CVE-2012-1854:** Patched in July 2012; supplemental update in November 2012.
### Workarounds
* CISA mandates federal agencies apply the official vendor patches by **April 27, 2026**. No specific manual workarounds were detailed in the article beyond immediate patching.
## Detection
* **Indicators of Compromise:** Presence of Storm-1175 activity or Medusa Ransomware payloads.
* **Detection Methods:**
* Monitor Exchange Server logs for unusual deserialization errors.
* Scan for outdated Windows CLFS drivers.
* Audit for unauthorized privilege escalation events on Windows endpoints.
## References
* CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
* Microsoft Security Update Guide (CVE-2025-60710): hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2025-60710
* Microsoft Security Update Guide (CVE-2023-36424): hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2023-36424
* Microsoft Security Update Guide (CVE-2023-21529): hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2023-21529
* Microsoft Threat Intelligence (Medusa Ransomware): hxxps[://]www[.]microsoft[.]com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/