CISA orders federal agencies to patch exploited SolarWinds, Apple, Microsoft bugs within weeks

Vulnerabilities impacting critical products from SolarWinds, Apple, Microsoft and Notepad++ will have to be resolved by federal agencies in less than one month after being spotlighted by the nation’s cyber defense agency on Thursday. 

The Cybersecurity and Infrastructure Security Agency (CISA) added ten new vulnerabilities to its catalog of exploited bugs this week, forcing all federal civilian agencies to resolve the issues by the first week of March — one vulnerability, SolarWinds’ CVE-2025-40536, will have to be patched by federal civilian agencies by Sunday. Patches for the bug were released by SolarWinds on January 28. 

The issue affects SolarWinds Web Help Desk, an IT service management platform used by many large organizations to handle ticketing, asset tracking and other tasks. The tool helps companies centralize IT support operations.

Last week, CISA gave federal agencies only four days to patch another vulnerability affecting the SolarWinds Web Help Desk platform that was initially released alongside CVE-2025-40536. 

SolarWinds is widely used across the federal government and was previously targeted by Russian hackers as part of one of the largest nation-state attacks in U.S. history. 

Apple, Notepad++ and Microsoft

The other bugs added to CISA’s Known Exploited Vulnerabilities list this week include CVE-2026-20700 — an issue disclosed by Apple on Thursday impacting Apple iOS, macOS, tvOS, watchOS and visionOS. 

Apple said in an advisory that it is “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.”

Two other related vulnerabilities, CVE-2025-14174 and CVE-2025-43529, were also issued in response to the attack report, Apple explained. Google Threat Analysis Group discovered the bug.

Alongside the Apple vulnerability, CISA warned of CVE-2025-15556 — a vulnerability that was discovered last year when suspected Chinese state-sponsored hackers attacked popular text editor Notepad++. 

Notepad++, a free and open-source editor widely used by tech workers, has millions of users worldwide. Notepad++ issued a fix for the issue in December after a Chinese state-sponsored group known as Lotus Blossom targeted “specific high-value organizations” during an attack in June 2025.

Following Microsoft’s Patch Tuesday release, CISA also added six of the company’s vulnerabilities to the catalog, confirming that they have been exploited in the wild by threat actors. The bugs impact a variety of popular products including Microsoft Office, Windows and other tools. 

Among the six bugs, many experts focused on the three security feature bypass vulnerabilities — CVE-2026-21510, CVE-2026-21513 and CVE-2026-21514. 

“All three have been publicly disclosed and reported as being exploited in the wild. These types of vulnerabilities allow an attacker to circumvent, disable, or effectively ignore standard security mechanisms,” said Natalie Silva, lead cyber security engineer at Immersive. 

“The affected Windows components are MSHTML, Windows Shell, and Microsoft Word. In all cases, Microsoft notes that user interaction is required, meaning an attacker would need to convince a user to open a malicious file.”

CISA published its annual report this week and touted the success of the Known Exploited Vulnerabilities catalog, noting that it added 238 high-risk vulnerabilities to the list in fiscal year 2025. 

Cybersecurity experts have warned that 2026 is likely to break records for the number of vulnerabilities disclosed. FIRST, a prominent forum of incident response and security teams, forecasted that 2026 will be the first year more than 50,000 CVEs will be published. 

“While our central estimate for 2026 hovers around 59,000, we believe it is entirely realistic that this year we reach 70,000 to 100,000 vulnerabilities. The upper bound of our 90% confidence interval sits at nearly 118,000 — a number that would represent a paradigm shift in vulnerability management workloads,” FIRST said.

“We think it is more likely to be closer to 60k, but it is important that we prepare for more extreme scenarios such as 70 or 80k as well.”