U.S. CISA Adds Microsoft Office and Windows Flaws to its Known Exploited Vulnerabilities Catalog

U.S. CISA Adds Microsoft Office and Windows Flaws to its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken another step in protecting the nation's critical infrastructure from cyber threats by adding Microsoft Office and Windows flaws to its Known Exploited Vulnerabilities (KEV) catalog.

This move is part of CISA's efforts to help federal agencies and private organizations prioritize vulnerability remediation and protect themselves against attacks exploiting known vulnerabilities. The KEV catalog now includes the following Microsoft Office and Windows flaws:

Recently Patched Flaws

In its latest Patch Tuesday security updates for February 2026, Microsoft fixed 58 new security flaws across various components, including Windows, Office, Azure, Edge, Exchange, Hyper-V, WSL, and others. When combined with third-party updates, this number rises to a total of 62 CVEs (Common Vulnerabilities and Exposures). Of these, six flaws are actively exploited in the wild, with three being publicly known.

The following vulnerabilities were addressed by Microsoft and added to the KEV catalog:

  • CVE-2026-21510: A flaw described as "publicly disclosed" by Microsoft. The company credited Google Threat Intelligence Group, its internal security teams, and an anonymous researcher for discovering this vulnerability.
  • CVE-2026-21514: Another publicly disclosed flaw identified by Microsoft. The discovery is attributed to the combined efforts of Google Threat Intelligence Group and Microsoft's internal security teams.
  • CVE-2026-21513: A vulnerability that was also labeled as "publicly disclosed" by Microsoft. This flaw was reported jointly by Microsoft and Google Threat Intelligence Group.

Implications for Federal Agencies and Private Organizations

Pursuant to the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies are required to address these identified vulnerabilities by March 3rd, 2026, to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend that private organizations review the KEV catalog and take similar measures to protect their infrastructure. By addressing these vulnerabilities in a timely manner, both federal agencies and private organizations can significantly reduce their risk of being compromised by cyber threats.

Timeline for Remediation

CISA has set a deadline for federal agencies to address the identified vulnerabilities. All FCEB (Federal Civilian Executive Branch) agencies are required to remediate these flaws by March 3rd, 2026.

To stay informed about cybersecurity threats and updates from CISA and other sources, follow us on Twitter: @securityaffairs, Facebook, or Mastodon.