CISA adds exploited Microsoft Exchange and Windows CLFS flaws to KEV list

CISA has added two Microsoft vulnerabilities to its Known Exploited Vulnerabilities catalog and set an April 27, 2026 remediation deadline for federal agencies. The flaws are CVE-2023-21529, an Exchange Server remote code execution bug, and CVE-2023-36424, a Windows Common Log File System Driver elevation-of-privilege issue.

That matters because KEV additions reflect confirmed real-world exploitation, not just theoretical risk. In both NVD records, CISA lists the vulnerabilities as added on April 13, 2026 and tells agencies to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or stop using the product if mitigations are unavailable.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The Exchange bug, CVE-2023-21529, is the more dangerous entry from an initial access standpoint. Microsoft classifies it as a deserialization of untrusted data vulnerability in Exchange Server, with a CVSS 3.1 score of 8.8, and NVD describes it as a remote code execution issue.

Exchange remains a prized target for access brokers and ransomware crews

Microsoft’s own threat intelligence adds context here. In an April 6, 2026 report on Storm-1175 and Medusa ransomware operations, Microsoft said the group has exploited vulnerable web-facing assets at high speed, sometimes moving from exploitation to ransomware deployment within 24 hours. The NVD entry for CVE-2023-21529 now links to that Microsoft report as a technical description tied to the KEV update.

The second KEV addition, CVE-2023-36424, affects Windows and specifically maps to the Windows Common Log File System Driver in Microsoft’s advisory data. Microsoft rates it 7.8 under CVSS 3.1, and NVD shows a local attack vector with low privileges required and no user interaction needed, which fits the profile of a post-compromise privilege-escalation bug.

That makes the pair a familiar and effective attack chain. Exchange can offer a path to code execution on an exposed server, while a Windows kernel or driver bug can help an attacker deepen control after landing on a system. This last sentence is an inference based on the vulnerability types and scoring data.

What each vulnerability does

Source data comes from NVD and Microsoft’s advisory feed.

What defenders should do now

• Patch or mitigate CVE-2023-21529 on all affected Exchange Server deployments without delay.
• Apply Microsoft’s fix for CVE-2023-36424 across supported Windows systems, especially on servers and high-value endpoints.
• Treat Exchange as an exposed perimeter asset and review internet-facing access paths, published services, and stale accounts. This recommendation follows from Microsoft’s Storm-1175 report on vulnerable web-facing systems.
• Hunt for signs of privilege escalation and unusual process activity on Windows hosts that may already have been compromised. This is a practical defensive step based on the CLFS flaw’s local privilege-escalation profile.
• Federal agencies need to meet CISA’s April 27, 2026 due date. Private organizations should use the same urgency because CISA added both flaws to KEV due to active exploitation.

FAQ