CISA orders federal agencies to patch exploited SolarWinds, Apple, Microsoft bugs within weeks

Vulnerabilities impacting vital merchandise from SolarWinds, Apple, Microsoft and Notepad++ must be resolved by federal companies in lower than one month after being spotlighted by the nation’s cyber protection company on Thursday. 

The Cybersecurity and Infrastructure Safety Company (CISA) added ten new vulnerabilities to its catalog of exploited bugs this week, forcing all federal civilian companies to resolve the problems by the primary week of March — one vulnerability, SolarWinds’ CVE-2025-40536, must be patched by federal civilian companies by Sunday. Patches for the bug had been launched by SolarWinds on January 28. 

The difficulty impacts SolarWinds Internet Assist Desk, an IT service administration platform utilized by many giant organizations to deal with ticketing, asset monitoring and different duties. The software helps firms centralize IT help operations.

Final week, CISA gave federal companies solely 4 days to patch one other vulnerability affecting the SolarWinds Internet Assist Desk platform that was initially launched alongside CVE-2025-40536. 

SolarWinds is extensively used throughout the federal authorities and was beforehand focused by Russian hackers as a part of one of many largest nation-state assaults in U.S. historical past. 

Apple, Notepad++ and Microsoft

The opposite bugs added to CISA’s Recognized Exploited Vulnerabilities checklist this week embrace CVE-2026-20700 — a difficulty disclosed by Apple on Thursday impacting Apple iOS, macOS, tvOS, watchOS and visionOS. 

Apple stated in an advisory that it’s “conscious of a report that this concern could have been exploited in a particularly subtle assault in opposition to particular focused people on variations of iOS earlier than iOS 26.”

Two different associated vulnerabilities, CVE-2025-14174 and CVE-2025-43529, had been additionally issued in response to the assault report, Apple defined. Google Risk Evaluation Group found the bug.

Alongside the Apple vulnerability, CISA warned of CVE-2025-15556 — a vulnerability that was found final yr when suspected Chinese language state-sponsored hackers attacked standard textual content editor Notepad++. 

Notepad++, a free and open-source editor extensively utilized by tech employees, has hundreds of thousands of customers worldwide. Notepad++ issued a repair for the problem in December after a Chinese language state-sponsored group often called Lotus Blossom focused “particular high-value organizations” throughout an assault in June 2025.

Following Microsoft’s Patch Tuesday launch, CISA additionally added six of the corporate’s vulnerabilities to the catalog, confirming that they’ve been exploited within the wild by risk actors. The bugs influence a wide range of standard merchandise together with Microsoft Workplace, Home windows and different instruments. 

Among the many six bugs, many specialists centered on the three safety function bypass vulnerabilities — CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514. 

“All three have been publicly disclosed and reported as being exploited within the wild. Some of these vulnerabilities enable an attacker to bypass, disable, or successfully ignore customary safety mechanisms,” stated Natalie Silva, lead cyber safety engineer at Immersive. 

“The affected Home windows parts are MSHTML, Home windows Shell, and Microsoft Phrase. In all circumstances, Microsoft notes that consumer interplay is required, that means an attacker would wish to persuade a consumer to open a malicious file.”

CISA printed its annual report this week and touted the success of the Recognized Exploited Vulnerabilities catalog, noting that it added 238 high-risk vulnerabilities to the checklist in fiscal yr 2025. 

Cybersecurity specialists have warned that 2026 is more likely to break data for the variety of vulnerabilities disclosed. FIRST, a distinguished discussion board of incident response and safety groups, forecasted that 2026 would be the first yr greater than 50,000 CVEs will likely be printed. 

“Whereas our central estimate for 2026 hovers round 59,000, we consider it’s totally sensible that this yr we attain 70,000 to 100,000 vulnerabilities. The higher sure of our 90% confidence interval sits at almost 118,000 — a quantity that might characterize a paradigm shift in vulnerability administration workloads,” FIRST stated.

“We expect it’s extra more likely to be nearer to 60k, however it is crucial that we put together for extra excessive situations corresponding to 70 or 80k as effectively.”

Be taught extra.