CISA Warns of Critical Microsoft Exchange and Windows CLFS Bugs Exploited in Attacks
Key Takeaways CISA has issued a critical warning regarding two actively exploited Microsoft vulnerabilities. The flaws affect Microsoft Exchange Server (remote code execution) and the Windows Common...
Key Takeaways
- CISA has issued a critical warning regarding two actively exploited Microsoft vulnerabilities.
- The flaws affect Microsoft Exchange Server (remote code execution) and the Windows Common Log File System (CLFS) Driver (privilege escalation).
- Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild.
- Mandatory patches are required for federal agencies by April 27, 2026, with strong recommendations for all other organizations to apply fixes immediately.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a significant alert concerning two critical vulnerabilities within Microsoft products, both of which are currently being actively exploited by threat actors. These security flaws impact Microsoft Exchange Server and the Windows Common Log File System (CLFS) Driver, prompting their inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog on April 13, 2026.
Table Of Content
According to CISA’s latest intelligence, evidence suggests that these specific vulnerabilities are being leveraged in ongoing attack campaigns. While the direct link to active ransomware operations remains unconfirmed, the agency has mandated that all federal civilian executive branch (FCEB) agencies apply the necessary security patches by April 27, 2026, and has strongly urged private sector entities to follow suit without delay.
Exchange Server Remote Code Execution
The first vulnerability, identified as CVE-2023-21529, poses a severe remote code execution (RCE) risk to Microsoft Exchange Server. This flaw originates from a deserialization of untrusted data issue (CWE-502).
- Exploitation Mechanism: An authenticated attacker can exploit this weakness by manipulating how the Exchange server processes specific data, ultimately enabling them to execute arbitrary code remotely.
- Network Impact: Successful exploitation grants adversaries the ability to run malicious code on the compromised server, potentially leading to deep and persistent access within corporate networks.
- Threat Context: Exchange servers are high-value targets for cybercriminals due to their role in storing sensitive communications and acting as critical gateways to internal network environments. Consequently, patching CVE-2023-21529 should be treated as an immediate, top-priority task for all organizations.
Windows CLFS Privilege Escalation
The second critical vulnerability, tracked as CVE-2023-36424, is an out-of-bounds read flaw affecting the Microsoft Windows CLFS driver.
- Exploitation Mechanism: The CLFS driver fails to properly validate memory boundaries, allowing a local attacker to trigger the vulnerability.
- Network Impact: Threat actors can exploit this weakness to escalate their privileges, gaining administrative control over the affected system.
- Threat Context: Privilege escalation vulnerabilities are crucial components in sophisticated attack chains. Adversaries typically leverage them after initial system access, often achieved through tactics like phishing, to fully compromise a machine, disable security software, or deploy additional malicious payloads.
What You Should Do
CISA has issued explicit directives for federal agencies under Binding Operational Directive (BOD) 22-01, requiring immediate patching of these vulnerabilities. Private sector organizations are strongly encouraged to prioritize these fixes to safeguard their infrastructure from active threats.
- Apply all available security patches and mitigations for Microsoft Exchange Server (CVE-2023-21529) and the Windows CLFS Driver (CVE-2023-36424) as per Microsoft’s official vendor instructions.
- If affected systems are hosted via third-party cloud services, ensure compliance with applicable BOD 22-01 guidance.
- If patching is not feasible or alternative mitigations are unavailable, discontinue the use of the vulnerable products entirely.
- Maintain aggressive monitoring of Microsoft Exchange and Windows environments for any unusual or suspicious activity, as these known exploited vulnerabilities represent a significant and immediate threat to enterprise security.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.