THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft Office and Microsoft Windows flaws to its Known Exploited Vulnerabilities (KEV) catalog.
The flaws listed are CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525 and CVE-2026-21533, with CVSS scores ranging from 6.5 to 8.8 and descriptions including a Windows SmartScreen and Shell prompt bypass, an Internet Explorer security control bypass, and a Windows Remote Desktop Services elevation of privilege, among others.
Microsoft noted three flaws were publicly disclosed, and the company credited Google Threat Intelligence Group, its internal security teams and an anonymous researcher for the discoveries. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address these vulnerabilities by their due date to protect networks against exploitation, and CISA orders federal agencies to fix the vulnerabilities by 3 March 2026.
This week’s Patch Tuesday updates fixed 58 new security flaws across Windows, Office and other components, with six of them actively exploited in the wild.