CISA Warns of Increased Ransomware Attacks Leveraging Known Microsoft Vulnerabilities
Microsoft leads CISA's catalog of CVEs targeted in ransomware assaults
In a blog post published on Thursday, Sandra Radesky and Gabriel Davis, associates at the Cybersecurity and Infrastructure Security Agency (CISA), highlighted the growing threat of ransomware attacks exploiting known vulnerabilities in Microsoft products. The post is part of CISA's Ransomware Vulnerability Warning Pilot, a response to the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
The blog post comes as CISA shares data about ransomware attacks, revealing that more than 184 Common Vulnerabilities and Exposures (CVEs) have known use in ransomware attacks. Nearly 1 in 5 of these exploited CVEs are also used in ransomware attacks, according to CISA's Known Exploited Vulnerabilities Catalog.
Microsoft tops the list of vendors with known CVEs used in ransomware attacks. More than 2 in 5 of the vulnerabilities exploited by threat actors to conduct ransomware are linked to Microsoft products.
The updated data in the blog post aims to address the potential blind spot that many organizations may have, unaware that a vulnerability used by ransomware threat actors is present on their network.
Microsoft continues to invest in layers of security measures for customers. However, the blog post does not specify the number of Microsoft's CVEs used in ransomware attacks in this update.
Common Microsoft vulnerabilities exploited in ransomware attacks primarily include:
- CVE-2025-29824: A privilege escalation flaw in the Windows Common Log File System (CLFS), used by the PipeMagic backdoor malware to assist RansomExx ransomware attacks. This vulnerability enables attackers to escalate privileges on affected Windows systems.
- CVE-2017-0144: An older remote code execution vulnerability in Windows SMB (Server Message Block) protocol, well-known for enabling initial infiltration by ransomware families including RansomExx.
- CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771: These are critical remote code execution and spoofing vulnerabilities in Microsoft SharePoint Server exploited in active ransomware campaigns deploying variants of Mauri870 ransomware (e.g., 4L4MD4R). Attackers used these to gain unauthorized access and deploy ransomware payloads.
- CVE-2025-30388 and CVE-2025-53766: Newly discovered Windows vulnerabilities allowing arbitrary code execution and system crashes, exposing victims to ransomware exploitation risk if unpatched.
The Microsoft products most commonly affected are Windows OS (especially SMB and kernel services) and Microsoft SharePoint Server. Applying the latest patches is critical to mitigating risks from these flaws.
Microsoft encourages its customers to install all available updates as soon as possible to stay safe from malware attacks. The company states that all the vulnerabilities listed in the blog post have been addressed and customers who have applied the latest updates are already protected.
This story has been updated to include comments from Microsoft.
[1] PipeMagic exploitation of CVE-2025-29824 in Windows leads to RansomExx attacks. [2] Active exploitation of SharePoint vulnerabilities CVE-2025-49704, 49706, 53770, and related for ransomware deployment. [3] Additional Windows kernel vulnerabilities CVE-2025-30388 and CVE-2025-53766 that enable arbitrary code execution. [4] CISA's database of exploited CVEs, some dating back to 2002, was updated on Thursday to include those with known ransomware exploits. [5] More than half of the exploited Microsoft vulnerabilities used in ransomware campaigns are present in two of the vendor's most popular products: Windows and Exchange Server.
In the blog post by CISA, they warned about increased ransomware attacks leveraging known Microsoft vulnerabilities, part of their Ransomware Vulnerability Warning Pilot. The post revealed that over 184 Common Vulnerabilities and Exposures (CVEs) are known to be used in ransomware attacks, with nearly 1 in 5 exploited CVEs also used in ransomware attacks according to CISA's Known Exploited Vulnerabilities Catalog. Microsoft topped the list of vendors with known CVEs used in ransomware attacks, with more than 2 in 5 exploited vulnerabilities linked to Microsoft products.
Common Microsoft vulnerabilities exploited in ransomware attacks include CVE-2025-29824, CVE-2017-0144, several SharePoint Server vulnerabilities, and newly discovered vulnerabilities CVE-2025-30388 and CVE-2025-53766. The Microsoft products most commonly affected are Windows OS (especially SMB and kernel services) and Microsoft SharePoint Server.
CISA's database of exploited CVEs was updated on Thursday to include those with known ransomware exploits. More than half of the exploited Microsoft vulnerabilities used in ransomware campaigns are present in two of the vendor's most popular products: Windows and Exchange Server. Microsoft encourages its customers to install all available updates to stay safe from malware attacks, as the company states that all the vulnerabilities listed have been addressed and customers who have applied the latest updates are already protected.
