CISA Adds Six Microsoft Flaws to KEV Catalog, Spanning Conficker Worm to 2026 Zero-Days
CISA added six Microsoft vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026, including the Conficker worm flaw and two newly disclosed 2026 CVEs, all confirmed under active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency added six Microsoft vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026, confirming that all six are being actively exploited in the wild. The batch is notable for its unusual timespan: four of the flaws date back to 2008–2010, while two are newly disclosed vulnerabilities from 2026, illustrating how threat actors continue to target both decades-old and freshly surfaced weaknesses in Microsoft products.
The legacy CVEs in this batch are among the most historically significant Windows vulnerabilities ever catalogued. CVE-2008-4250 (MS08-067) is a remote code execution flaw in the Windows Server service, infamously exploited by the Conficker worm to propagate across millions of unpatched systems worldwide. CVE-2009-1537 is a remote code execution vulnerability in Microsoft DirectShow's handling of QuickTime media files, triggered when a user opens a specially crafted file. CVE-2010-0249 is a memory corruption vulnerability in Internet Explorer that allows remote code execution via a malicious web page; this flaw was notably chained in the Operation Aurora intrusions. CVE-2010-0806 is another Internet Explorer remote code execution vulnerability stemming from improper handling of objects in memory, enabling attackers to gain the same privileges as the logged-on user.
The two 2026-era CVEs — CVE-2026-41091 and CVE-2026-45498 — are newly catalogued Windows vulnerabilities now confirmed under active exploitation. Their addition alongside legacy flaws suggests defenders face a broad threat surface where both unpatched old systems and newly discovered weaknesses are under simultaneous attack.
None of the six vulnerabilities are flagged in the KEV catalog as associated with ransomware campaigns. However, their confirmed active exploitation status means they are being used in real-world attacks, and organizations should treat them with the same urgency as ransomware-linked entries.
Under Binding Operational Directive 22-01, U.S. federal civilian executive branch agencies must remediate these vulnerabilities within three weeks of the KEV add-date — by June 10, 2026. CISA strongly recommends that all organizations, regardless of sector, apply available Microsoft patches immediately, prioritize these CVEs in vulnerability management programs, and verify that legacy systems running older Windows versions are either patched or isolated from internet-facing exposure.