The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of newly disclosed vulnerabilities in major software, including SolarWinds, Notepad++, and Microsoft. These vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) list, highlighting the urgent need for organizations to implement patches.
Details on SolarWinds Vulnerability
The SolarWinds vulnerability, identified as CVE-2025-40536 with a CVSS score of 8.1, was disclosed in late January. This flaw is found in the Web Help Desk (WHD) and allows unauthorized access to restricted functionalities. Horizon3.ai, the entity responsible for uncovering the flaw, noted that it enables attackers to create a valid AjaxProxy instance, potentially leading to remote code execution (RCE) through additional exploits.
Following Microsoft’s recent revelations, CISA has urged federal agencies to patch this vulnerability within three days. Microsoft noted that this flaw might have been exploited as a zero-day in December 2025, alongside another WHD issue, CVE-2025-40551, which was also targeted in similar attacks.
Apple and Notepad++ Vulnerabilities
Also added to the KEV list is CVE-2026-20700, a buffer overflow vulnerability in Apple products. This flaw was addressed with a patch, but it has already been utilized in highly sophisticated attacks. Simultaneously, Notepad++ users are at risk due to CVE-2025-15556, a vulnerability that compromises update integrity verification. This issue arises from a lack of cryptographic checks, allowing attackers to intercept updates and execute arbitrary code.
Reports indicate that the Notepad++ flaw has been exploited by hackers linked to China, specifically the cyberespionage group known as Lotus Blossom, since June 2025. The exploitation involves intercepting update traffic to deploy modified installers.
Microsoft Configuration Manager Vulnerability
Another significant vulnerability, CVE-2024-43468, pertains to Microsoft Configuration Manager. This critical RCE flaw involves an SQL injection vulnerability that does not require user interaction. Although proof-of-concept code has been available for over a year, it has only recently become a focus due to CISA’s warnings.
CISA has mandated that federal agencies apply patches for these vulnerabilities within weeks. This directive underscores the importance of timely updates to mitigate potential threats and secure systems against ongoing cyber risks.
Related discussions have highlighted new updates from tech giants like Intel, AMD, and Microsoft, which have addressed numerous vulnerabilities as part of their regular security updates.
