CISA orders federal agencies to patch exploited SolarWinds, Apple, Microsoft bugs within weeks
Summary
The US Cybersecurity and Infrastructure Security Agency (CISA) has added ten new vulnerabilities to its Known Exploited Vulnerabilities catalogue, requiring federal civilian agencies to remediate the issues within weeks. The list includes a critical SolarWinds Web Help Desk flaw (CVE-2025-40536) with an imminent deadline, multiple Microsoft vulnerabilities added after February Patch Tuesday, an Apple issue tied to a highly targeted attack (CVE-2026-20700 and related CVEs), and a Notepad++ bug linked to suspected state-sponsored activity. CISA highlighted the continued growth of exploited high-risk bugs as it published its annual report, noting the Known Exploited Vulnerabilities programme added 238 high-risk entries in fiscal 2025.
SolarWinds released patches for CVE-2025-40536 on 28 January; CISA has given agencies short timelines to apply fixes, including a one-week or fewer window for some flaws. Microsoft had six exploited CVEs added, three of which are security-feature bypasses affecting MSHTML, Windows Shell and Word and require user interaction to exploit. Apple acknowledged a vulnerability possibly used in a sophisticated targeted attack, discovered by Google TAG. Notepad++ patched a vulnerability after suspected state-backed actors targeted high-value organisations.
Context and relevance
This action by CISA underlines the pressure on organisations to accelerate patch management amid an expected surge in CVE disclosures in 2026 — FIRST forecasts the year could see around 60k CVEs, with possible upper bounds far higher. For federal agencies and large organisations using SolarWinds, Microsoft and Apple products, the CISA deadlines turn routine patching into an urgent operational requirement.
Key Points
- CISA added 10 vulnerabilities to its Known Exploited Vulnerabilities catalogue; federal civilian agencies must patch them within weeks (some immediately).
- SolarWinds Web Help Desk CVE-2025-40536 is among the urgent fixes; SolarWinds issued patches on 28 January.
- Apple disclosed CVE-2026-20700 and related CVEs that may have been used in a highly targeted attack; Google TAG discovered the issue.
- Notepad++ patched a vulnerability after suspected Chinese state-sponsored actors targeted high-value victims in 2025.
- CISA added six Microsoft vulnerabilities from February Patch Tuesday, including three security-feature bypasses (CVE-2026-21510, CVE-2026-21513, CVE-2026-21514) that require user interaction to exploit.
- CISA reported adding 238 high-risk vulnerabilities to its catalogue in FY2025, highlighting ongoing patch-management strain.
- Security community forecasts (FIRST) predict a substantial rise in CVE disclosures in 2026, increasing remediation workloads for defenders.
Why should I read this?
Short version: if you run SolarWinds, Microsoft, Apple or Notepad++ in a business or government setting, this matters — fast. CISA has forced urgent timelines, some measured in days, so this isn’t leisurely weekend admin. Read this to know which products are affected, why the fixes are urgent, and to avoid being one of the organisations scrambling after an exploit hits.