Actively utilized high-severity CVEs: Microsoft & SolarWinds

Actively exploited high-severity vulnerabilities: Microsoft & SolarWinds (last 7 days)

In the last few days, several actively utilized Weak points with CVSS ≥ 8 which are particularly relevant in enterprise environments: Windows/Office-related attack paths (MSHTML/Windows Shell) and a critical fix cycle around SolarWinds Web Help Desk. This article summarizes the most important points for security teams: affected components, attack paths, prioritization and concrete hardening/patch steps.

Scope/methodology: Only verified primary sources (CISA KEV, MSRC, NVD/CVE, manufacturer bulletins). No speculation, no unconfirmed statements.

---

Table of contents

• #1 Microsoft Windows Shell / MSHTML: Security Feature Bypass (CVE-2026-21510, CVE-2026-21513) - actively exploited, CVSS 8.8
• #2 Microsoft Configuration Manager: Remote Code Execution (CVE-2024-43468) - KEV, CVSS 9.8
• #3 SolarWinds Web Help Desk: Security Control Bypass (CVE-2025-40536) - KEV, CVSS 8.1
• #4 Instant checklist for Enterprise Defender (prioritization, detection, rollout)
• #5 Sources
• #6 SEO block

#1 Microsoft Windows Shell / MSHTML: Security Feature Bypass (CVE-2026-21510, CVE-2026-21513) - actively exploited, CVSS 8.8

What happened? Microsoft rates two vulnerabilities as Exploitation Detected (Exploitation detected). Both concern protection mechanisms in Windows components that can bypass security queries or protection functions if successfully exploited. According to CISA, both CVEs have been included in the KEV catalog (proof of active exploitation).

• CVE-2026-21510 - Windows Shell Security Feature Bypass, CVSS 3.1 Base 8.8, status at Microsoft: Exploitation Detected.
• CVE-2026-21513 - MSHTML Framework Security Feature Bypass, CVSS 3.1 Base 8.8, status at Microsoft: Exploitation Detected.

Why is this relevant for companies? Feature bypass bugs are often used in real attack chains as Initial Access / Execution Enabler They reduce friction for the attacker (e.g. bypassing warning or protection dialogs) and increase the success rate of phishing/drive-by scenarios. What is particularly critical is that - according to the MSRC - in the case of CVE-2026-21510 and CVE-2026-21513 User interaction is typically required (UI:R), which links it directly to email/web workflows.

Typical attack path (can be derived from MSRC FAQ): Attackers trick users into opening a manipulated HTML file or one .lnk shortcuts (link, attachment, download). The aim is not necessarily just the bypass itself, but to enable further steps (e.g. unintentional execution of content/code in the context of the user).

Measures / Mitigation:

• Prioritize patchingRollout according to rings, but faster than standard patch cycles (KEV + Exploitation Detected).
• Attachment/download hardening: Do not remove Mark-of-the-Web (MOTW); check web/email gateways for suspicious .lnk/.html-Check payloads and archives.
• ASR/EDR policiesCheck rules against Office/Script child processes, LNK-from-Internet, and suspicious HTML/HTA/Script execution and tighten them where possible.
• DetectionTelemetry for unusual LNK designs, mshta/rundll32-abuse, as well as download->execution chains (proxy/EDR correlation rules).

#2 Microsoft Configuration Manager: Remote Code Execution (CVE-2024-43468) - KEV, CVSS 9.8

Key message: One critical Remote code execution vulnerability in Microsoft Configuration Manager (ConfigMgr) was added to the KEV catalog by CISA. Microsoft has a CVSS 3.1 Base Score of 9.8 out. This makes it a clear candidate for Immediate prioritization, especially if ConfigMgr servers have exposed or poorly segmented communication paths.

• CVE-2024-43468 - Microsoft Configuration Manager Remote Code Execution, CVSS 9.8 (Microsoft), KEV (CISA).

What is the attack vector? According to the MSRC, a unauthenticated Attackers can trigger insecure processing via specially crafted requests, which can enable the execution of commands on the server/DB. In enterprise networks, ConfigMgr is also a High-Value TargetIf it is compromised, there is a risk of lateral movement, software deployment abuse and widespread effects.

What needs to be done (concrete, vendor-compliant)?

• Install In-Console Update: Microsoft explicitly mentions a in-console update as a protective measure.
• Minimize exposureSegment management/client communication, remove unnecessary accessibility from external networks, check firewall rules restrictively.
• Post-update verificationRecord version/hotfix status (CMDB), document patch rollout, targeted scans/health checks after completion.
• Threat Hunting: Investigate suspicious requests/logs to ConfigMgr roles, unusual DB activity, new/unusual admin accounts, and sudden deployment changes.

#3 SolarWinds Web Help Desk: Security Control Bypass (CVE-2025-40536) - KEV, CVSS 8.1

Key message: SolarWinds has worked with Web Help Desk 2026.1 addresses several CVEs. Among them is CVE-2025-40536 (Security Control Bypass), which is recognized by CISA as a known exploited is listed. In the official release notes, the vulnerability is described as 8.1 (High) rated.

• CVE-2025-40536 - SolarWinds Web Help Desk Security Control Bypass, 8.1 High (SolarWinds), KEV (CISA).

Why is this important? Ticketing/helpdesk systems are central in many companies (user identities, asset data, integrations, credentials/keys in workflows). Depending on the deployment, a control bypass can serve as an entry point or at least make privileged functions accessible. It is also critical that further WHD CVEs with 9.8 (Critical) listed - even if they are not all in the KEV catalog (as of this week), security teams should consider the release as a Patch bundle and not just patch the one CVE in isolation.

Measures:

• Upgrade to WHD 2026.1 (or higher) according to SolarWinds Guidance.
• Avoid Internet exposureIf possible, do not make WHD directly accessible from the Internet; use a VPN/zero-trust proxy.
• Least PrivilegeCheck service accounts, DB rights, integration tokens; rotate secrets if compromising is suspected.
• Monitoring: Monitor auth/admin events, unusual API/web accesses, new user/technician accounts, and anomalous ticket exports.

#4 Instant checklist for Enterprise Defender (prioritization, detection, rollout)

1. Prioritize by Exploitation + CVSS + Asset-Value
   • ConfigMgr (CVE-2024-43468, 9.8) - High-Value Infra.
   • Windows Shell / MSHTML (CVE-2026-21510/21513, 8.8 each) - wide-area endpoints, phishing proximity.
   • SolarWinds WHD (CVE-2025-40536, 8.1) - central service platform + potentially multiple critical fixes in the same release.
2. Tactical patch rollout
   • Server/management systems first (ConfigMgr/WHD), then endpoints (Windows).
   • Ring rollout (pilot → width), but accelerated (KEV).
3. Arm detections
   • Mail/Web: LNK/HTML attachments and suspicious downloads, MotW bypass signs.
   • EDR: LNK->Script/LOLBin chains (mshta, rundll32, regsvr32) and anomalous parent/child relationships.
   • Server: WHD/ConfigMgr logs, new admins, unusual requests/DB activity.
4. Communication
   • Briefly synchronize IT Ops + SOC: which systems affected, when patch window, which detection rules temporarily tightened.
   • Change/incident readiness: if there are indications of active exploitation in your own network - activate Incident Response Playbook.

#5 Sources

• CISA - Known Exploited Vulnerabilities Catalog (CatalogVersion 2026.02.13, dateReleased 2026-02-13): https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json (retrieved 2026-02-15)
• Microsoft Security Update Guide API - CVE-2026-21510 (Release 2026-Feb, exploited: Yes, baseScore 8.8): https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2026-21510 (retrieved 2026-02-15)
• Microsoft Security Update Guide API - CVE-2026-21513 (Release 2026-Feb, exploited: Yes, baseScore 8.8): https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2026-21513 (retrieved 2026-02-15)
• Microsoft Security Update Guide API - CVE-2024-43468 (baseScore 9.8): https://api.msrc.microsoft.com/sug/v2.0/en-US/vulnerability/CVE-2024-43468 (retrieved 2026-02-15)
• SolarWinds - WHD 2026.1 Release Notes (Last updated 2026-02-10; Fixed CVEs incl. CVE-2025-40536 Severity 8.1): https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm (retrieved 2026-02-15)
• SolarWinds Trust Center Advisory (CVE-2025-40536): https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40536 (retrieved 2026-02-15)
• NVD - CVE-2025-40536: https://nvd.nist.gov/vuln/detail/CVE-2025-40536 (retrieved 2026-02-15)
• BSI press image (featured image): https://www.bsi.bund.de/SharedDocs/Bilder/DE/Pressebilder_download/IT-Lagezentrum_1.jpg?__blob=poster&v=3 (retrieved 2026-02-15)

#6 SEO block

META-TITLE: Actively exploited high-severity CVEs: Microsoft & SolarWinds (KW 7)

META-DESCRIPTION: Current Threat Intel summary (last 7 days): actively exploited vulnerabilities with CVSS ≥ 8 in Microsoft Windows/ConfigMgr and SolarWinds Web Help Desk - incl. prioritization and patch checklist.

URL-SLUG: actively-utilized-cves-microsoft-solarwinds-kw7-2026

Keywords: CISA KEV, actively exploited, CVSS 9.8, CVE-2024-43468, CVE-2026-21513, CVE-2026-21510, CVE-2025-40536, Microsoft Patch Tuesday, SolarWinds Web Help Desk, Configuration Manager, MSHTML, Windows Shell