Zombie Microsoft bugs rise from the dead, pave way for crims and ransomware scum

What happened

It has been reported that America's cyber-defence agency, CISA, added four Microsoft bugs to its Known Exploited Vulnerabilities catalog after evidence surfaced that attackers are using them in the wild. The four are CVE-2025-60710 (Windows link-following privilege escalation, disclosed Nov 2025 and fixed a month later), CVE-2023-36424 (Windows CLFS privilege escalation, patched Nov 2023), CVE-2023-21529 (Microsoft Exchange deserialization RCE, patched Feb 2023 and recently tied to Storm-1175 and Medusa ransomware activity by Microsoft), and the shocker: CVE-2012-1854 (VBA insecure library loading RCE), first patched in 2012 — yes, 14 years ago. How does a 2012 bug keep walking? Apparently quite well, thank you.

Why it matters

These flaws aren’t theoretical. Microsoft said one of the Exchange bugs is already being abused by a financially motivated crew, and CISA warned the quartet are frequent attack vectors for malicious actors. CISA added the bugs to the KEV and set a two‑week deadline — federal agencies must patch by April 27. It has been reported that ransomware involvement for the other three is “unknown,” although the overlap with initial-access campaigns and old, widely deployed code makes the risk obvious: attackers love low-hanging fruit.

The wider picture and what to do

CISA also added two Adobe flaws — CVE-2020-9715 and CVE-2026-34621, the latter an exploited zero-day that Adobe patched over the weekend — underscoring a grim trend: legacy code and long-unpatched components keep turning up in modern attacks. The emotional punch? Frustration. We keep fixing things, yet the same ghosts keep coming back. Patch promptly, audit for legacy runtimes, and don’t treat “old” as safe. Otherwise, expect more sequels to this undead saga.

Sources: The Register