Zombie Microsoft bugs rise from the dead, pave way for crims and ransomware scum
(2026/04/13)
- Reference: 1776116136
- News link: https://www.theregister.co.uk/2026/04/13/ransomware_gang_other_crims_attacking/
- Source link:
Crooks are exploiting four Microsoft vulnerabilities - one patched 14 years ago and another tied to ransomware activity - according to America's lead cyber-defense agency, which on Monday gave federal agencies two weeks to patch them.
The four vulnerabilities added to CISA's [1]Known Exploited Vulnerabilities (KEV) catalog on Monday are:
[2]CVE-2025-60710 , a link-following vulnerability in Windows that allows privilege escalation. After initially disclosing this bug in November 2025, [3]Redmond fully fixed it a month later.
[4]
[5]CVE-2023-36424 , a Windows Common Log File System Driver flaw that allows privilege escalation. [6]Microsoft patched this one in November 2023.
[7]
[8]
[9]CVE-2023-21529 , a deserialization of untrusted data issue in Microsoft Exchange Server that allows an authenticated attacker to achieve remote code execution (RCE). [10]Redmond disclosed and patched the bug in February 2023. Just last week, Microsoft's threat hunters warned that a financially motivated crime crew tracked as [11]Storm-1175 is exploiting this Exchange bug, plus 15 others, to gain initial access to organizations before ultimately stealing their data and [12]deploying Medusa ransomware in extortion attacks.
[13]CVE-2012-1854 , an insecure library loading vulnerability in Microsoft Visual Basic for Applications that allows RCE. Microsoft pushed a security fix for this one in July 2012, and then a second software update in November 2012 that fully patched the flaw. At the time, Redmond said it was " [14]aware of limited, targeted attacks attempting to exploit the vulnerability." This means a flaw first exploited almost 14 years ago is still turning up in active attacks today.
[15]Attackers exploited this critical FortiClient EMS bug as a 0-day
[16]Microsoft blames Medusa ransomware affiliates for GoAnywhere exploits while Fortra keeps head buried
[17]Adobe finally patches PDF pest after months of abuse
[18]Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
We've reached out to Microsoft for more details about the scope of exploitation, and who is attacking these four CVEs, and will update this story if we receive any response to our inquiries.
CISA lists ransomware use for all four as "unknown," although according to Redmond, at least one of them (CVE-2023-21529) has been abused for this type of attack.
[19]
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," [20]CISA warned in adding the bugs to its catalog, and set an April 27 deadline for all federal agencies to apply patches.
Also on Monday, CISA added two Adobe bugs, a use-after-free vuln in Acrobat tracked as [21]CVE-2020-9715 , and a prototype pollution flaw tracked as [22]CVE-2026-34621 that affected both Adobe Acrobat and Reader, to the KEV. The latter had been exploited as a zero-day [23]for months , and [24]Adobe finally released a patch over the weekend. ®
Get our [25]Tech Resources
[1] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[2] https://www.cve.org/CVERecord?id=CVE-2025-60710
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad1nhYaR0iJgOy4_7SBcrgAAAEE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.cve.org/CVERecord?id=CVE-2023-36424
[6] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36424
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad1nhYaR0iJgOy4_7SBcrgAAAEE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad1nhYaR0iJgOy4_7SBcrgAAAEE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.cve.org/CVERecord?id=CVE-2023-21529
[10] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
[11] https://www.theregister.com/2025/10/06/microsoft_blames_medusa_ransomware_affiliates/
[12] https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
[13] https://www.cve.org/CVERecord?id=CVE-2012-1854
[14] https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046
[15] https://www.theregister.com/2026/04/06/forticlient_ems_bug_exploited/
[16] https://www.theregister.com/2025/10/06/microsoft_blames_medusa_ransomware_affiliates/
[17] https://www.theregister.com/2026/04/13/adobe_reader_zeroday/
[18] https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad1nhYaR0iJgOy4_7SBcrgAAAEE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[20] https://www.cisa.gov/news-events/alerts/2026/04/13/cisa-adds-seven-known-exploited-vulnerabilities-catalog
[21] https://www.cve.org/CVERecord?id=CVE-2020-9715
[22] https://www.cve.org/CVERecord?id=CVE-2026-34621
[23] https://www.theregister.com/2026/04/09/monthsold_adobe_reader_zeroday_uses/
[24] https://www.theregister.com/2026/04/13/adobe_reader_zeroday/
[25] https://whitepapers.theregister.com/
The four vulnerabilities added to CISA's [1]Known Exploited Vulnerabilities (KEV) catalog on Monday are:
[2]CVE-2025-60710 , a link-following vulnerability in Windows that allows privilege escalation. After initially disclosing this bug in November 2025, [3]Redmond fully fixed it a month later.
[4]
[5]CVE-2023-36424 , a Windows Common Log File System Driver flaw that allows privilege escalation. [6]Microsoft patched this one in November 2023.
[7]
[8]
[9]CVE-2023-21529 , a deserialization of untrusted data issue in Microsoft Exchange Server that allows an authenticated attacker to achieve remote code execution (RCE). [10]Redmond disclosed and patched the bug in February 2023. Just last week, Microsoft's threat hunters warned that a financially motivated crime crew tracked as [11]Storm-1175 is exploiting this Exchange bug, plus 15 others, to gain initial access to organizations before ultimately stealing their data and [12]deploying Medusa ransomware in extortion attacks.
[13]CVE-2012-1854 , an insecure library loading vulnerability in Microsoft Visual Basic for Applications that allows RCE. Microsoft pushed a security fix for this one in July 2012, and then a second software update in November 2012 that fully patched the flaw. At the time, Redmond said it was " [14]aware of limited, targeted attacks attempting to exploit the vulnerability." This means a flaw first exploited almost 14 years ago is still turning up in active attacks today.
[15]Attackers exploited this critical FortiClient EMS bug as a 0-day
[16]Microsoft blames Medusa ransomware affiliates for GoAnywhere exploits while Fortra keeps head buried
[17]Adobe finally patches PDF pest after months of abuse
[18]Two different attackers poisoned popular open source tools - and showed us the future of supply chain compromise
We've reached out to Microsoft for more details about the scope of exploitation, and who is attacking these four CVEs, and will update this story if we receive any response to our inquiries.
CISA lists ransomware use for all four as "unknown," although according to Redmond, at least one of them (CVE-2023-21529) has been abused for this type of attack.
[19]
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," [20]CISA warned in adding the bugs to its catalog, and set an April 27 deadline for all federal agencies to apply patches.
Also on Monday, CISA added two Adobe bugs, a use-after-free vuln in Acrobat tracked as [21]CVE-2020-9715 , and a prototype pollution flaw tracked as [22]CVE-2026-34621 that affected both Adobe Acrobat and Reader, to the KEV. The latter had been exploited as a zero-day [23]for months , and [24]Adobe finally released a patch over the weekend. ®
Get our [25]Tech Resources
[1] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[2] https://www.cve.org/CVERecord?id=CVE-2025-60710
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60710
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ad1nhYaR0iJgOy4_7SBcrgAAAEE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://www.cve.org/CVERecord?id=CVE-2023-36424
[6] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36424
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad1nhYaR0iJgOy4_7SBcrgAAAEE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ad1nhYaR0iJgOy4_7SBcrgAAAEE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.cve.org/CVERecord?id=CVE-2023-21529
[10] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
[11] https://www.theregister.com/2025/10/06/microsoft_blames_medusa_ransomware_affiliates/
[12] https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
[13] https://www.cve.org/CVERecord?id=CVE-2012-1854
[14] https://learn.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-046
[15] https://www.theregister.com/2026/04/06/forticlient_ems_bug_exploited/
[16] https://www.theregister.com/2025/10/06/microsoft_blames_medusa_ransomware_affiliates/
[17] https://www.theregister.com/2026/04/13/adobe_reader_zeroday/
[18] https://www.theregister.com/2026/04/11/trivy_axios_supply_chain_attacks/
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ad1nhYaR0iJgOy4_7SBcrgAAAEE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[20] https://www.cisa.gov/news-events/alerts/2026/04/13/cisa-adds-seven-known-exploited-vulnerabilities-catalog
[21] https://www.cve.org/CVERecord?id=CVE-2020-9715
[22] https://www.cve.org/CVERecord?id=CVE-2026-34621
[23] https://www.theregister.com/2026/04/09/monthsold_adobe_reader_zeroday_uses/
[24] https://www.theregister.com/2026/04/13/adobe_reader_zeroday/
[25] https://whitepapers.theregister.com/