CISA warns on Microsoft exploits

The Cybersecurity and Infrastructure Security Agency added two Microsoft flaws to its known-exploited list this week, including one in Exchange Server and one in a core Windows logging component. (cisa.gov 1) (cisa.gov 2) On April 13, 2026, the agency added CVE-2023-21529, a Microsoft Exchange Server deserialization flaw, and CVE-2023-36424, a Microsoft Windows Common Log File System Driver out-of-bounds read flaw, to the Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch agencies now have until April 27, 2026, to remediate both entries under Binding Operational Directive 22-01. (cisa.gov 1) (cisa.gov 2) The Known Exploited Vulnerabilities catalog is the federal government’s running list of bugs that CISA says have been exploited in the wild. CISA says organizations should use the catalog to prioritize patching because it tracks vulnerabilities tied to observed attacker activity, not just theoretical risk. (cisa.gov 1) (cisa.gov 2) Exchange Server is Microsoft’s on-premises email software, still used in many corporate and government networks even as Microsoft pushes cloud email. A deserialization bug is a flaw in the way software rebuilds data into live objects, and Microsoft’s Exchange hardening guidance has focused on signing serialized PowerShell data in newer security updates. (learn.microsoft.com) (cisa.gov) The Windows Common Log File System, or Common Log File System Driver, is a built-in Windows service that stores log records for other software. Microsoft said in August 2024 that Common Log File System had been hit by 24 Common Vulnerabilities and Exposures entries in five years, with 19 tied to logic bugs in how the driver validates data structures. (techcommunity.microsoft.com) Microsoft has already linked one later Common Log File System zero-day, CVE-2025-29824, to ransomware activity. In an April 8, 2025 post, Microsoft said attackers it tracks as Storm-2460 used the flaw after compromise to gain higher privileges and deploy PipeMagic malware and ransomware against a small number of targets. (microsoft.com) CISA’s catalog entry for CVE-2023-36424 says the flaw affects the Windows Common Log File System Driver and could let an attacker gain privileges. The same catalog says agencies should apply vendor mitigations, follow cloud guidance where relevant, or discontinue use if mitigations are unavailable. (cisa.gov) The Exchange addition lands months after CISA issued Emergency Directive 25-02 on August 7, 2025 for a different Exchange weakness in hybrid deployments. In that directive, CISA said the flaw could let an attacker with administrative access on an Exchange server escalate into connected cloud environments, though the agency said at the time it was not aware of active exploitation. (cisa.gov) (cisa.gov) For network defenders, the immediate change is the deadline: once a flaw enters the catalog, federal agencies have a fixed clock to patch or mitigate it. This week’s additions put older Microsoft enterprise software back on that short list because CISA says attackers are already using the bugs. (cisa.gov) (cisa.gov)