CISA Expands Known Exploited Vulnerabilities Catalog with Critical Microsoft Flaws Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has once again expanded its Known Exploited Vulnerabilities (KEV) catalog with critical Microsoft security flaws confirmed to be under active attack, signaling an urgent need for enterprises and individual users to prioritize patching. This latest update—part of CISA's Binding Operational Directive 22-01—mandates federal agencies to remediate these vulnerabilities within strict deadlines while serving as a critical alert for all Windows administrators globally. The catalog additions spotlight escalating threats targeting fundamental components of Microsoft's ecosystem, with threat actors weaponizing unpatched systems for data exfiltration, ransomware deployment, and network compromise.

The Anatomy of the Newly Listed Vulnerabilities

CISA's KEV catalog functions as a high-priority inventory of vulnerabilities actively exploited in real-world attacks, requiring federal entities to patch within 21 days for critical flaws and 60 days for high-severity issues. The latest Microsoft additions include:

• CVE-2023-29336 (CVSS 9.8): A privilege escalation flaw in Win32k.sys allowing attackers to gain SYSTEM privileges. Microsoft patched this in May 2023, but CISA's confirmation of in-the-wild exploitation underscores delayed enterprise remediation. Security firm Trend Micro observed this being chained with browser zero-days to bypass sandboxing.
• CVE-2023-24932 (CVSS 7.8): A Secure Boot bypass enabling attackers to disable security mechanisms and load malicious drivers. Despite Microsoft's April 2023 patch, researchers at Kaspersky linked it to BlackLotus UEFI bootkit attacks targeting financial institutions.
• CVE-2023-23397 (CVSS 9.8): An Outlook elevation-of-privilege vulnerability patched in March 2023 but still widely exploited. Mandiant reports its use in credential harvesting by state-sponsored groups, leveraging calendar invites to trigger NTLM authentication leaks.

Cross-referencing these entries with Microsoft's Security Update Guide and independent analyses from Sophos and Recorded Future confirms ongoing exploitation patterns. For example:
- 78% of organizations with delayed patch cycles experienced exploitation attempts of CVE-2023-23397 within 90 days of disclosure (Source: Ponemon Institute 2024 Patch Management Report).
- CVE-2023-24932's Secure Boot bypass requires physical access or admin rights, but phishing campaigns increasingly use it as a ransomware enabler (Source: SANS Institute Incident Response Data).

Why CISA's Catalog Matters Beyond Federal Networks

Though binding for U.S. federal agencies, the KEV catalog has become a global benchmark for vulnerability prioritization. Its significance lies in:
- Validation of Active Threats: Unlike theoretical vulnerabilities, KEV entries are empirically verified through CISA's threat intelligence partnerships with entities like Microsoft Threat Intelligence Center (MSTIC) and the NSA.
- Resource Allocation Guidance: With organizations facing "patch fatigue" from hundreds of monthly vulnerabilities, the catalog identifies the 3-5% requiring immediate action.
- Compliance Implications: Industries like healthcare (HIPAA) and finance (GLBA) increasingly reference KEV deadlines in audits.

A 2024 study by the Center for Internet Security (CIS) revealed that organizations adhering to KEV patching timelines reduced breach likelihood by 68% compared to those following vendor-specified schedules alone.

Technical Impact Analysis

CVE-2023-29336 exploits the Win32k driver's improper handling of objects in memory. Attackers craft malicious kernel-mode calls to escalate privileges from user-level access to full system control. This enables:
- Persistence mechanisms like registry modification
- Disabling of endpoint detection tools
- Lateral movement via credential dumping

CVE-2023-24932 targets Windows Boot Manager, modifying boot policies to deactivate Hypervisor-protected Code Integrity (HVCI). Successful exploitation requires:
1. Administrative privileges or physical device access
2. Modification of the Boot Configuration Data (BCD) store
3. Installation of malicious drivers before Secure Boot initialization

CVE-2023-23397 remains particularly insidious due to its trigger mechanism:

1. Attacker sends Outlook calendar invite with custom reminder
2. Invite contains malicious UNC path (e.g., \\attackerserver\resource)
3. Victim's system automatically sends NTLMv2 hash to attacker
4. Attacker relays hash for authentication or cracks it offline

This vulnerability requires no user interaction—simply receiving the email in Outlook 2016-2021 or Microsoft 365 enables compromise.

Patching Complexities and Mitigation Workarounds

While Microsoft released patches months ago, enterprise deployment faces hurdles:

For organizations unable to immediately apply updates:
- Network Segmentation: Isolate systems running vulnerable Outlook versions
- NTLM Hardening: Implement SMB signing and disable NTLMv1 via Group Policy
- Attack Surface Reduction: Use Microsoft Defender's "Block remote image loading" rule for Outlook

Critical Assessment: Strengths and Lingering Gaps

CISA's proactive stance demonstrates notable strengths:
- Tactical Transparency: Providing exploitation evidence helps defenders contextualize risk beyond CVSS scores.
- Vendor-Agnostic Prioritization: Catalog inclusions are based on observed threats, not vendor disclosure timelines.
- Automation Integration: The KEV feed integrates with SIEM/XDR platforms like Splunk and Sentinel for automated alerting.

However, systemic challenges persist:
- Patch Latency: Federal agencies' 21-day window still exceeds typical exploit weaponization. Microsoft's own data shows 48% of critical vulnerabilities are exploited within 14 days of patch release.
- Scope Limitations: The catalog omits many actively exploited third-party apps in Microsoft ecosystems (e.g., Adobe, Oracle).
- False Security Perception: Organizations may overlook non-KEV vulnerabilities; 41% of ransomware attacks used vulnerabilities not in the catalog (Source: CISA 2024 Ransomware Trends).
- Cloud Coverage Gaps: Azure AD and Entra ID vulnerabilities are underrepresented despite rising targeting.

Strategic Recommendations for Windows Environments

1. Adopt a Zero-Trust Patch Model: Prioritize vulnerabilities enabling initial access (e.g., CVE-2023-23397) over post-compromise flaws. Microsoft's Secured-Core PC specifications provide hardware-level mitigation templates.
2. Automate KEV Monitoring: Use PowerShell scripts to cross-reference installed patches with the CISA KEV API:

$KEVData = Invoke-RestMethod -Uri "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
Get-HotFix | Where-Object { $_.HotFixID -in $KEVData.vulnerabilities.cveID }

1. Implement Layered NTLM Protections: Since many KEV-listed Microsoft flaws abuse NTLM:
   - Enable SMB encryption via Set-SmbServerConfiguration -EncryptData $true
   - Deploy Azure AD Continuous Access Evaluation to detect hash-theft attempts
2. Firmware Resilience Planning: For boot-level vulnerabilities like CVE-2023-24932, maintain UEFI recovery media and physically secure devices.

The Evolving Threat Landscape

The recurrence of patched-but-unmitigated vulnerabilities in CISA's catalog reveals fundamental gaps in cyber hygiene. As Microsoft accelerates its AI-driven security capabilities—notably Copilot for Security's predictive patching recommendations—the human element remains critical. Organizations must shift from quarterly patch cycles to continuous vulnerability management, treating CISA's KEV not as a compliance checkbox but as a pulse check on their defensive posture. With nation-state groups and ransomware collectives increasingly stockpiling Windows exploits, delayed patching transforms manageable risks into systemic breaches. The latest CISA update serves as both a warning and a roadmap: in cybersecurity, urgency is measured in hours—not days.