Microsoft’s Four Legacy Bugs Fuel Ransomware and Crime Surge, Experts Warn

The latest CISA alert underscores how legacy code can become a strategic asset for cyber‑criminals, with four Microsoft flaws—three patched within the past three years and one dating back to 2012—now listed in the agency’s Known Exploited Vulnerabilities (KEV) catalog. According to The Register, the agency gave federal entities a two‑week deadline, April 27, to apply the pending updates, a move that signals the urgency of a threat that has already resurfaced in active ransomware campaigns. The four CVEs span a range of attack surfaces: a Windows link‑following privilege‑escalation bug (CVE‑2025‑60710), a Common Log File System driver flaw (CVE‑2023‑36424), an Exchange Server deserialization vulnerability (CVE‑2023‑21529), and a Visual Basic for Applications library‑loading weakness (CVE‑2012‑1854). While CISA lists ransomware use as “unknown” for most, Microsoft has confirmed that the Exchange bug (CVE‑2023‑21529) has been weaponised by the financially motivated group known as Storm‑1175, which couples the flaw with fifteen other exploits to infiltrate networks before deploying Medusa ransomware for extortion.

The persistence of CVE‑2012‑1854 illustrates the long tail of software risk. The vulnerability, first patched in July 2012 and fully remedied in a November 2012 update, was originally described by Microsoft as being subject to “limited, targeted attacks.” Yet The Register notes that the flaw continues to surface in contemporary campaigns, effectively resurrecting a 14‑year‑old attack vector. This phenomenon is not unique to Microsoft; the same CISA notice added two Adobe vulnerabilities—CVE‑2020‑9715 and CVE‑2026‑34621—to the KEV list, highlighting a broader pattern where legacy bugs in widely deployed products become low‑hanging fruit for threat actors. The Adobe CVE‑2026‑34621, a prototype‑pollution flaw, had been exploited as a zero‑day for months before a patch was finally issued, reinforcing the notion that delayed remediation can amplify the attack surface across the software supply chain.

From a risk‑management perspective, the convergence of old and new vulnerabilities forces enterprises to reassess patch‑prioritisation frameworks that often favour recent releases. The Register’s coverage points out that the Windows privilege‑escalation bugs (CVE‑2025‑60710 and CVE‑2023‑36424) were disclosed and patched within months of discovery, yet their inclusion in the KEV catalog suggests that adversaries have already built exploit kits around them. The rapid turnaround from disclosure to patch—November 2025 for CVE‑2025‑60710 and November 2023 for CVE‑2023‑36424—did not preclude their exploitation, indicating that the window between public disclosure and full remediation remains a critical vulnerability period for organisations that cannot immediately apply updates.

The operational impact on federal agencies is immediate, but the ripple effects extend to the private sector, where many of the same software components are deployed. CISA’s warning that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise” (The Register) implies that any entity relying on unpatched Windows, Exchange, or VBA environments could become a target. Moreover, the involvement of Storm‑1175—a group that blends initial access techniques with ransomware payloads—demonstrates a sophisticated threat model that leverages multiple CVEs to achieve persistence before extortion. The Register notes that the group’s use of the Exchange flaw, combined with fifteen other exploits, enables a “stealthy” foothold that can evade conventional detection tools, raising the stakes for organisations that rely on signature‑based defenses.

In sum, the CISA directive serves as a reminder that legacy vulnerabilities are not relics but active components of modern cyber‑crime arsenals. The Register’s reporting makes clear that the four Microsoft bugs, despite varying ages and patch histories, have converged to fuel a measurable uptick in ransomware activity. For risk officers and security teams, the lesson is twofold: maintain rigorous, timely patch cycles for both new and old software, and adopt threat‑intelligence‑driven monitoring that can detect the multi‑vector exploitation patterns exemplified by groups like Storm‑1175. Failure to do so not only jeopardises compliance with federal mandates but also leaves organisations exposed to the same “ransomware surge” that CISA is now scrambling to contain.