Microsoft Six Exploited Zero Days Added to CISA KEV

CISA has added six exploited zero days affecting Microsoft products to its Known Exploited Vulnerabilities catalog, confirming that attackers are actively abusing these flaws in real-world attacks. The move signals immediate risk for organizations that have not yet applied February’s security updates.

When CISA places vulnerabilities in the KEV catalog, it does so based on confirmed exploitation. This designation elevates the urgency beyond routine patching cycles. Federal agencies must remediate within strict deadlines, and private-sector defenders typically follow the same prioritization model.

What the Zero Days Affect

The six vulnerabilities impact core Microsoft components, including Windows subsystems and Microsoft Office. Several of the flaws allow attackers to bypass security protections designed to prevent malicious code execution. Others enable privilege escalation, giving threat actors deeper access once they gain an initial foothold.

Security feature bypass vulnerabilities are particularly dangerous. They do not always deliver full remote code execution on their own, but they weaken built-in defenses that normally block malicious files or suspicious activity. Attackers often chain these flaws with phishing campaigns or document-based exploits to increase success rates.

Privilege escalation flaws pose another serious concern. If an attacker compromises a standard user account, these vulnerabilities can elevate access to system-level permissions. That escalation opens the door to credential theft, lateral movement, and long-term persistence inside enterprise environments.

Why Active Exploitation Changes the Risk Level

Zero days already carry high risk because vendors have little or no time to prepare before disclosure. When exploitation is confirmed, the threat becomes immediate rather than theoretical. Organizations running unpatched systems face elevated exposure, especially if endpoints interact with external content such as email attachments or web downloads.

Attackers move quickly after disclosure. Some groups begin scanning for vulnerable systems within hours of patch release. Others target high-value organizations that delay updates due to operational constraints. The addition of these vulnerabilities to the KEV catalog confirms that malicious actors are already leveraging them in active campaigns.

Patch Tuesday in Context

The six exploited zero days formed part of Microsoft’s broader February Patch Tuesday release, which addressed dozens of additional security flaws across its ecosystem. While many vulnerabilities require specific conditions to exploit, zero days with confirmed activity demand immediate attention.

This trend also reflects a broader pattern. Over the past year, multiple Patch Tuesday cycles have included vulnerabilities that attackers exploited before or shortly after public disclosure. Threat actors increasingly monitor update releases to reverse-engineer patches and weaponize newly revealed weaknesses.

What Security Teams Should Do Now

Organizations should prioritize patch deployment for affected Windows and Office systems. Asset visibility remains critical. Security teams must identify exposed endpoints quickly and verify that updates apply successfully across all environments.

Network monitoring tools can help detect signs of exploitation, including unusual privilege changes or suspicious process activity. Even after patching, defenders should review logs for indicators of compromise in case attackers exploited systems before remediation.

Strong patch management processes reduce exposure windows. Automated update pipelines and staged rollouts can prevent delays that attackers often exploit.

Conclusion

The inclusion of six exploited zero days in CISA’s KEV catalog sends a clear message: attackers are actively targeting Microsoft environments right now. Organizations that delay patching increase their risk of compromise, privilege escalation, and long-term intrusion. Rapid remediation, strong monitoring, and disciplined vulnerability management remain essential defenses against this accelerating threat landscape.