CISA Warns of Active Exploitation of Legacy Microsoft Vulnerabilities

Cybercriminals are currently targeting a range of Microsoft vulnerabilities, including some that were patched over a decade ago. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added four specific flaws to its Known Exploited Vulnerabilities (KEV) catalog, signaling an urgent need for organizations to update their systems. This wave of attacks is partly driven by high-velocity ransomware operations that weaponize “N-day” vulnerabilities—flaws that are known and patched but remain unapplied on many systems.

The ‘Zombie’ Bugs: Four Critical Vulnerabilities Under Attack

CISA has given federal agencies a two-week window to patch four Microsoft vulnerabilities that are currently being exploited in the wild. These flaws range from recent bugs to “zombie” vulnerabilities that have existed for years. The targeted vulnerabilities include:

• CVE-2025-60710: A link-following vulnerability in Windows that allows for privilege escalation. While Microsoft disclosed this bug in November 2025 and released a full fix a month later, it remains a target for attackers.
• CVE-2023-36424: A flaw in the Windows Common Log File System Driver that enables privilege escalation. This was patched in November 2023.
• CVE-2023-21529: A deserialization of untrusted data issue within Microsoft Exchange Server. This vulnerability allows an authenticated attacker to achieve remote code execution (RCE). Microsoft patched this flaw in February 2023.
• CVE-2012-1854: An insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) that allows RCE. This is the oldest of the group, with security fixes released in July and November 2012.

Storm-1175 and the Medusa Ransomware Threat

A significant driver behind these attacks is a China-based, financially motivated threat actor tracked by Microsoft as Storm-1175. This group is known for deploying Medusa ransomware payloads through high-tempo operations.

Storm-1175 specifically targets vulnerable, web-facing assets. According to reports, the group is exploiting the Microsoft Exchange bug (CVE-2023-21529) along with 15 other vulnerabilities to gain initial access to organizations. Once inside, the group steals sensitive data and deploys Medusa ransomware as part of extortion attacks.

The Strategy of N-Day Exploitation

Storm-1175 specializes in weaponizing N-day vulnerabilities. An N-day is a flaw that has been publicly disclosed and for which a patch exists, but which has not yet been adopted by all users. The group operates in the window between the vulnerability’s disclosure and widespread patch adoption, moving rapidly from initial access to full deployment.

Key Takeaways for IT Administrators

The resurgence of a 14-year-old vulnerability highlights a critical gap in legacy system maintenance. To defend against groups like Storm-1175, organizations should prioritize the following:

• Immediate Patching: Prioritize the four CVEs listed in the CISA KEV catalog, especially if running Microsoft Exchange Server or legacy VBA-enabled applications.
• Secure Web-Facing Assets: Since Storm-1175 focuses on web-facing systems, ensure all perimeter devices and servers are updated and monitored for unusual activity.
• Audit Legacy Software: Identify and update software that has not been patched in years, as attackers are actively revisiting old flaws to find unprotected targets.

Summary and Outlook

The current threat landscape demonstrates that no vulnerability is too old to be dangerous. The activities of Storm-1175 reveal that cybercriminals are increasingly efficient at identifying unpatched systems to deploy ransomware like Medusa. As attackers continue to speed up their operations, the window for defense is shrinking, making rapid patch management the most effective deterrent against these high-velocity campaigns.