πŸ”¬ Assessment

CISA Adds Seven CVEs to KEV Including Decade-Old Microsoft Bugs Exploited by Storm-1175

CISA has added seven vulnerabilities to the Known Exploited Vulnerabilities catalogue, including four Microsoft flaws spanning from 2012 to 2025 being actively leveraged by the Storm-1175 ransomware group. The additions highlight a persistent patching blind spot: vulnerabilities patched years ago that never made it into legacy system maintenance cycles, now routinely weaponised for initial access and privilege escalation.

4 min read
#cisa-kev#patch-management#storm-1175#medusa#microsoft#exchange#fortinet#adobe#legacy-vulnerabilities#vulnerability-management

CISA’s 13 April 2026 Known Exploited Vulnerabilities update added seven entries spanning Adobe, Fortinet, and Microsoft β€” including vulnerabilities from 2012, 2020, 2023, and 2025. The additions are not academic: four of the Microsoft entries are being actively exploited by Storm-1175, a financially motivated threat actor that combines legacy vulnerability exploitation with Medusa ransomware deployment to gain initial access and escalate privileges before encrypting victim environments.

The Seven Additions

CVE-2012-1854 β€” Microsoft Visual Basic for Applications insecure library loading (RCE). A 14-year-old vulnerability in VBA that allows DLL hijacking via malicious library files. Still present in unpatched Office installations and legacy environments where VBA macros remain enabled.

CVE-2020-9715 β€” Adobe Acrobat use-after-free. A 2020 memory corruption flaw in Acrobat, six years after initial disclosure, actively exploited in document-based attack chains.

CVE-2023-21529 β€” Microsoft Exchange Server deserialisation of untrusted data (RCE). An Exchange vulnerability from 2023 that enables remote code execution. Exchange remains a high-value initial access target: internet-facing, credential-rich, and frequently running behind on patches in organisations that treat it as a stable legacy system.

CVE-2023-36424 β€” Windows Common Log File System Driver out-of-bounds read (privilege escalation). A 2023 privilege escalation in the Windows CLFS driver, patched in November 2023, still present in environments that have not maintained consistent monthly patching.

CVE-2025-60710 β€” Windows link-following vulnerability (privilege escalation). Disclosed in November 2025 and patched the following month, this local privilege escalation allows a standard user to escalate to SYSTEM by exploiting file system link traversal. Its presence on the KEV list less than six months after disclosure confirms rapid weaponisation.

CVE-2026-21643 β€” Fortinet FortiClient EMS pre-authentication SQL injection (RCE). CVSS 9.8. Added the same day as Bishop Fox’s full technical disclosure. Affects EMS 7.4.4 and enables unauthenticated remote code execution.

CVE-2026-34621 β€” Adobe Acrobat Reader prototype pollution (RCE). Exploited since November 2025, patched today. Triggers via crafted PDF with embedded JavaScript.

The Storm-1175 Pattern

Storm-1175 uses a layered approach: initial access via Exchange or Windows vulnerabilities, privilege escalation via CLFS or VBA DLL hijacking, and lateral movement before dropping Medusa ransomware payloads. The group’s technique of weaponising patched-but-undeployed vulnerabilities targets a known weakness in enterprise patch management: critical patches are applied promptly, but non-critical patches from older cycles can linger for years.

What This Reveals About Patch Debt

The presence of 2012 and 2020 vulnerabilities on an active exploitation list in 2026 is a diagnostic result for vulnerability management programmes. It indicates one or more of:

  • Legacy systems excluded from standard patch management processes
  • Scope gaps: assets not enrolled in vulnerability scanners
  • Risk acceptance decisions made years ago for β€œlow-severity” vulnerabilities that have since been weaponised
  • IT asset inventory failures β€” systems that are patched according to records but where the actual deployed configuration differs

A vulnerability management programme that prioritises CVSS severity at disclosure time, without revisiting old entries when exploitation evidence emerges, will consistently produce these gaps.

  1. Search your patch database for all seven CVEs β€” confirm that they are remediated across your entire asset inventory, not just those enrolled in routine patching.
  2. Explicitly scan for CVE-2023-21529 on Exchange deployments. Internet-facing Exchange servers are consistently among the highest-value initial access targets and warrant quarterly manual patch verification regardless of automated tooling results.
  3. Treat KEV membership as a re-triage trigger β€” even for old CVEs. When CISA adds a 2012 or 2023 CVE to the KEV list, that is operational intelligence that it is being actively weaponised today. Re-validate remediation regardless of when it was originally patched.
  4. Review Windows CLFS patching status across server and endpoint fleets for CVE-2023-36424 β€” the November 2023 patch cycle is far enough back that it may have been missed in estate segments with inconsistent patching cadence.
  5. Disable VBA macros by policy in Microsoft 365 and Office deployments where they are not operationally required β€” this neutralises CVE-2012-1854 and its entire family of DLL hijacking descendants at the control layer regardless of patch status.

Share this article