Microsoft leads CISA's catalog of compromised CVEs in ransomware assaults
The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted a concern about financially-motivated cybercriminals using vulnerability exploits in ransomware attacks, as revealed in a blog post published by Sandra Radesky and Gabriel Davis, associates at CISA, on Thursday.
Microsoft has emerged as the vendor with the most known exploited Common Vulnerabilities and Exposures (CVEs) used in ransomware attacks, with 78 attributed vulnerabilities, surpassing the 9 exploited CVEs used by network storage appliance maker QNAP.
The most common Microsoft products targeted by ransomware attacks, according to CISA's Known Exploited Vulnerabilities (KEV) Catalog, are Microsoft SharePoint Server, Microsoft Exchange Server, Microsoft Internet Explorer, and Microsoft Office Excel.
Recent ransomware campaigns have exploited multiple critical vulnerabilities in Microsoft SharePoint Server, including CVE-2025-49704 and CVE-2025-49706, part of a chain of exploits dubbed "ToolShell," leading to unauthorized access and ransomware deployment. CISA strongly recommends disconnecting public-facing versions of Exchange Server and SharePoint Server that have reached end-of-life due to these ongoing risks.
Vulnerabilities affecting Microsoft Internet Explorer and Microsoft Office Excel have also been added to the KEV catalog, indicating they are being targeted by threat actors exploiting these flaws to facilitate attacks, often including ransomware.
In addition, several critical Windows vulnerabilities enabling privilege escalation and remote code execution have been actively exploited, increasing the risk of ransomware delivery on affected systems.
The Ransomware Vulnerability Warning Pilot, an initiative by CISA, aims to address this potential blind spot. This pilot is a requirement of the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
Microsoft has a comprehensive response process for software security events and incidents, as stated by a Microsoft spokesperson. The spokesperson also emphasized Microsoft's continued investment in layers of security measures to protect against malware attacks. They also encouraged customers to follow Microsoft's security best practices and install all available updates as soon as possible.
CISA's database of 1,019 exploited CVEs, some dating back to 2002, was updated Thursday to include those with known ransomware exploits. More than half of the exploited Microsoft vulnerabilities used in ransomware campaigns are present in two of the vendor's most popular products: Windows and Exchange Server. Nearly 1 in 5 exploited common vulnerabilities and exposures (CVE) are also known to be used in ransomware attacks, according to CISA's Known Exploited Vulnerabilities Catalog. More than 2 in 5 of the vulnerabilities exploited by threat actors to conduct ransomware are linked to Microsoft products.
Many organizations may be unaware that vulnerabilities used by ransomware threat actors are present on their network. The CISA encourages all organizations to regularly review and update their software to ensure they are protected against known exploits.
- The Cybersecurity and Infrastructure Security Agency (CISA) has emphasized the use of vulnerability exploits in ransomware attacks by financially-motivated cybercriminals, as revealed in a blog post.
- Microsoft has the most known exploited Common Vulnerabilities and Exposures (CVEs) used in ransomware attacks, with 78 attributed vulnerabilities, mainly targeting Microsoft SharePoint Server, Microsoft Exchange Server, Microsoft Internet Explorer, and Microsoft Office Excel.
- CISA strongly recommends disconnecting public-facing versions of Exchange Server and SharePoint Server that have reached end-of-life due to the ongoing risks posed by these ransomware attacks.
- Vulnerabilities affecting Microsoft Internet Explorer and Microsoft Office Excel have been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, indicating they are being targeted by threat actors, often facilitating ransomware attacks.
