CISA Warns of Two Actively Exploited Microsoft Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) has added two newly confirmed, actively exploited security flaws in Microsoft products to its Known Exploited Vulnerabilities (KEV) catalog, effective April 13, 2026. The vulnerabilities affect the Microsoft Windows Common Log File System (CLFS) driver and Microsoft Exchange Server — both critical components widely used across enterprise environments.
Federal agencies and private organizations are being urged to apply patches immediately. Attackers routinely target core Microsoft infrastructure as an entry point into corporate networks, making swift remediation essential.
Windows CLFS Privilege Escalation (CVE-2023-36424)
CVE-2023-36424 is an out-of-bounds read vulnerability in the Windows CLFS driver, classified under CWE-125. This type of flaw occurs when software reads data outside the boundaries of an intended memory buffer. In practice, a local attacker can exploit it to escalate their privileges on an already-compromised system.
The CLFS driver serves as a built-in logging subsystem that many Windows applications depend on, making it a prime target for attackers seeking to deepen their foothold. Privilege escalation bugs like this are particularly dangerous — once exploited, they allow threat actors to disable endpoint security tools, access sensitive data, and move laterally across a network. While no confirmed link to active ransomware campaigns has been established, this class of vulnerability is frequently incorporated into ransomware attack chains.
Exchange Server Remote Code Execution (CVE-2023-21529)
CVE-2023-21529 affects Microsoft Exchange Server and stems from the insecure deserialization of untrusted data — categorized under CWE-502. An authenticated attacker can exploit this flaw to achieve remote code execution (RCE), effectively giving them the ability to run arbitrary commands on the targeted server over the network.
Given that Exchange Servers handle sensitive email communications and integrate directly with Active Directory, an unpatched Exchange environment represents a high-value target. RCE vulnerabilities are among the most critical threats an organization can face. Although no ransomware group has been publicly confirmed as weaponizing this specific flaw, the risk of severe network compromise for organizations that delay patching remains extremely high.
What Organizations Need to Do
CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to remediate both vulnerabilities by April 27, 2026, in accordance with Binding Operational Directive (BOD) 22-01. Security professionals strongly recommend that private sector organizations adopt the same deadline.
System administrators should take the following steps without delay:
- Apply the latest Microsoft security updates for both Windows and Exchange Server.
- Review and follow the mitigations outlined in BOD 22-01 for any affected cloud-based services.
- Decommission or isolate vulnerable products entirely if vendor-supplied patches cannot be applied within the required timeframe.