好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户的要求是直接写文章描述,不需要以“文章内容总结”或“这篇文章”开头。 首先,我仔细阅读了文章。文章主要讲的是美国网络安全和基础设施安全局(CISA)将微软Office和Windows的一些漏洞加入到已知被利用的漏洞目录中。具体提到了六个CVE编号的漏洞,每个都有详细的描述和CVSS评分。此外,微软在2月补丁星期二发布了修复这些漏洞的安全更新,修复了58个新漏洞,其中六个被积极利用。 接下来,我需要提取关键信息:CISA、微软Office和Windows漏洞、已知被利用的漏洞目录、六个CVE编号、CVSS评分、微软修复补丁、积极利用的漏洞数量。 然后,我需要将这些信息浓缩到100字以内。要注意用词简洁,同时涵盖主要点:CISA新增了微软的漏洞到目录中,并说明这些漏洞可能带来的风险以及微软已经发布了修复补丁。 最后,检查字数是否符合要求,并确保语言流畅自然。 </think> 美国网络安全机构CISA将微软Office和Windows的六个高危漏洞加入已知被利用漏洞目录,涉及绕过安全机制、权限提升等问题。微软已发布补丁修复这些漏洞。 2026-2-11 07:37:24 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
U.S. CISA adds Microsoft Office and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini
February 11, 2026
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Office and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Microsoft Office and Microsoft Windows flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
- CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
- CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
- CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
- CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
- CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability
This week, Microsoft Patch Tuesday security updates for February 2026 fixed 58 new security flaws across Windows, Office, Azure, Edge, Exchange, Hyper-V, WSL, and other components, rising to 62 CVEs when third-party updates are included. Six flaws addressed this month are actively exploited in the wild, three of them publicly known.
Below is the description of the vulnerabilities addressed by the IT giant and that CISA added to the catalog:
- CVE-2026-21510 (CVSS score of 7.5 – High)
A Windows SmartScreen and Shell prompt bypass that allows attackers to evade security warnings by tricking users into opening a crafted malicious link or shortcut file. - CVE-2026-21513 (CVSS score of 8.8 – High)
An Internet Explorer security control bypass that can lead to code execution when a victim opens a malicious HTML page or LNK file. - CVE-2026-21514 (CVSS score of 8.1 – High)
A Microsoft 365 and Office flaw that bypasses OLE security mitigations, enabling malicious activity when a specially crafted Office document is opened. - CVE-2026-21519 (CVSS score of 7.8 – High)
A Windows Desktop Window Manager vulnerability that enables local privilege escalation and elevated system access. - CVE-2026-21525 (CVSS score of 6.5 – Medium)
A Windows Remote Access Connection Manager bug that can be abused by a local attacker to cause a denial-of-service condition. - CVE-2026-21533 (CVSS score of 8.8 – High)
A Windows Remote Desktop Services vulnerability that allows attackers to escalate privileges to SYSTEM.
Microsoft labeled CVE-2026-21510, CVE-2026-21514 and CVE-2026-21513 as “publicly disclosed”.
The company credited Google Threat Intelligence Group, its internal security teams, and an anonymous researcher for discovering CVE-2026-21510 and CVE-2026-21514, while Microsoft and GTIG reported the vulnerability CVE-2026-21513.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by March 3rd, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh