Ethical Hacking News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Microsoft Office and Windows flaws to its Known Exploited Vulnerabilities (KEV) catalog, marking a growing concern for cybersecurity. The six newly added vulnerabilities have high CVSS scores, indicating their potential impact on system security. Organizations must stay informed and take proactive measures to protect their systems against these exploits.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six new Microsoft Office and Windows flaws to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533, with high CVSS scores indicating their potential impact on system security. The added vulnerabilities include Windows SmartScreen bypass, Internet Explorer security control bypass, Microsoft 365 flaw, Windows Desktop Window Manager vulnerability, Windows Remote Access Connection Manager bug, and Windows Remote Desktop Services vulnerability. Microsoft has labeled three of the vulnerabilities as "publicly disclosed" and recommended that private organizations review the Catalog and address the vulnerabilities in their infrastructure. CISA orders federal agencies to fix the vulnerabilities by March 3rd, 2026, emphasizing the importance of staying informed and taking proactive measures to protect systems.
In a recent development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Microsoft Office and Microsoft Windows flaws to its Known Exploited Vulnerabilities (KEV) catalog. This move is part of the agency's efforts to inform federal agencies about known vulnerabilities in their systems that have been exploited by attackers.
The six newly added vulnerabilities include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533. These vulnerabilities were identified by CISA as having a high CVSS score, which indicates their potential impact on system security.
CVE-2026-21510 is a Windows SmartScreen and Shell prompt bypass that allows attackers to evade security warnings by tricking users into opening a crafted malicious link or shortcut file. This vulnerability has a CVSS score of 7.5 and is classified as High risk.
CVE-2026-21513 is an Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file. This vulnerability also has a CVSS score of 8.8 and is classified as High risk.
CVE-2026-21514 is a Microsoft 365 and Office flaw that bypasses OLE security mitigations, enabling malicious activity when a specially crafted Office document is opened. This vulnerability has a CVSS score of 8.1 and is also classified as High risk.
CVE-2026-21519 is a Windows Desktop Window Manager vulnerability that enables local privilege escalation and elevated system access. This vulnerability has a CVSS score of 7.8 and is classified as High risk.
CVE-2026-21525 is a Windows Remote Access Connection Manager bug that can be abused by a local attacker to cause a denial-of-service condition. This vulnerability has a CVSS score of 6.5 and is classified as Medium risk.
CVE-2026-21533 is a Windows Remote Desktop Services vulnerability that allows attackers to escalate privileges to SYSTEM. This vulnerability has a CVSS score of 8.8 and is also classified as High risk.
Microsoft labeled three of the vulnerabilities, namely CVE-2026-21510, CVE-2026-21514, and CVE-2026-21513, as "publicly disclosed". The company credited Google Threat Intelligence Group, its internal security teams, and an anonymous researcher for discovering these vulnerabilities.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. CISA orders federal agencies to fix the vulnerabilities by March 3rd, 2026.
In conclusion, the addition of Microsoft Office and Windows flaws to the KEV catalog is a growing concern for cybersecurity. As attackers continue to exploit known vulnerabilities, it is essential for organizations to stay informed and take proactive measures to protect their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/US-CISA-Adds-Microsoft-Office-and-Windows-Flaws-to-Its-Known-Exploited-Vulnerabilities-Catalog-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://securityaffairs.com/187855/security/u-s-cisa-adds-microsoft-office-and-microsoft-windows-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://cybernews.com/security/microsoft-six-exploited-zero-days-cisa-kev-february-2026/
https://nvd.nist.gov/vuln/detail/CVE-2026-21510
https://www.cvedetails.com/cve/CVE-2026-21510/
https://nvd.nist.gov/vuln/detail/CVE-2026-21513
https://www.cvedetails.com/cve/CVE-2026-21513/
https://nvd.nist.gov/vuln/detail/CVE-2026-21514
https://www.cvedetails.com/cve/CVE-2026-21514/
https://nvd.nist.gov/vuln/detail/CVE-2026-21519
https://www.cvedetails.com/cve/CVE-2026-21519/
https://nvd.nist.gov/vuln/detail/CVE-2026-21525
https://www.cvedetails.com/cve/CVE-2026-21525/
https://nvd.nist.gov/vuln/detail/CVE-2026-21533
https://www.cvedetails.com/cve/CVE-2026-21533/
Published: Wed Feb 11 02:29:51 2026 by llama3.2 3B Q4_K_M
