VYPR
Vypr IntelligenceAI-generatedMay 20, 2026· 6 CVEs

Microsoft: 6 Actively-Exploited Flaws Added to CISA KEV

Microsoft had six vulnerabilities spanning from 2008 to 2026 added to CISA's Known Exploited Vulnerabilities catalog on May 20, 2026, all confirmed under active exploitation in the wild.

Key findings

  • Six Microsoft vulnerabilities added to CISA KEV on May 20, 2026, all confirmed under active exploitation.
  • Batch spans four legacy flaws from 2008–2010 and two newly disclosed CVEs from 2026.
  • CVE-2008-4250 (MS08-067) is the Conficker worm flaw; CVE-2010-0249 was used in Operation Aurora.
  • No ransomware association flagged for any of the six CVEs in the KEV entry.
  • Federal remediation deadline under BOD 22-01 is June 10, 2026 — three weeks from add-date.

The U.S. Cybersecurity and Infrastructure Security Agency added six Microsoft vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026, confirming that all six are being actively exploited in the wild. The batch is notable for its unusual timespan: four of the flaws date back to 2008–2010, while two are newly disclosed vulnerabilities from 2026, illustrating how threat actors continue to target both decades-old and freshly surfaced weaknesses in Microsoft products.

The legacy CVEs in this batch are among the most historically significant Windows vulnerabilities ever catalogued:

  • **CVE-2008-4250 (MS08-067)** — A remote code execution flaw in the Windows Server service, infamously exploited by the Conficker worm to propagate across millions of unpatched systems worldwide.
  • **CVE-2009-1537** — A remote code execution vulnerability in Microsoft DirectShow's handling of QuickTime media files, triggered when a user opens a specially crafted file.
  • **CVE-2010-0249** — A memory corruption vulnerability in Internet Explorer that allows remote code execution via a malicious web page; this flaw was notably chained in the Operation Aurora intrusions.
  • **CVE-2010-0806** — Another Internet Explorer remote code execution vulnerability stemming from improper handling of objects in memory, enabling attackers to gain the same privileges as the logged-on user.

The two 2026-era CVEs — CVE-2026-41091 and CVE-2026-45498 — are newly catalogued Windows vulnerabilities now confirmed under active exploitation. Their addition alongside legacy flaws suggests defenders face a broad threat surface where both unpatched old systems and newly discovered weaknesses are under simultaneous attack.

None of the six vulnerabilities are flagged in the KEV catalog as associated with ransomware campaigns. However, their confirmed active exploitation status means they are being used in real-world attacks, and organizations should treat them with the same urgency as ransomware-linked entries.

Under Binding Operational Directive 22-01, U.S. federal civilian executive branch agencies must remediate these vulnerabilities within three weeks of the KEV add-date — by June 10, 2026. CISA strongly recommends that all organizations, regardless of sector, apply available Microsoft patches immediately, prioritize these CVEs in vulnerability management programs, and verify that legacy systems running older Windows versions are either patched or isolated from internet-facing exposure.

AI-written article. Grounded in 6 CVE records listed below.