FAIL › dossier
FedRAMP provider · · dossier confidence 40%
Microsoft is a public technology giant with a heavy security footprint, but its internal failure history reveals a critical track record of repeated RCE and privilege escalation vulnerabilities across Windows, Office, and cloud services. Recent breaches via Entra SSO and critical flaws in Defender and Exchange indicate significant risks for DIB/CMMC environments.
Microsoft maintains a high volume of critical and high-severity vulnerabilities across its product portfolio, with a pattern of repeated RCE and privilege escalation flaws in core products like Windows, Exchange, and Defender. Recent incidents include a ShinyHunters breach via Microsoft Entra SSO, indicating significant SSO and authentication control weaknesses.
| Date | Event | Sev | Flags | Shame | Summary |
|---|---|---|---|---|---|
| 2026-05-20 | CVE-2010-0806 | high | ⚡RCE ⌖KEV | 85 | Microsoft Internet Explorer use-after-free vulnerability enables remote code execution on EoL browsers. |
| 2026-04-22 | CVE-2026-33825 | critical | ⌖KEV | 85 | Microsoft Defender allows local privilege escalation via insufficient access control granularity, enabling ransomware-linked attackers to bypass security controls. |
| 2026-04-14 | CVE-2009-0238 | high | ⚡RCE ⌖KEV | 85 | Microsoft Office Excel contains a remote code execution vulnerability that allows attackers to take complete control of a system by opening a specially crafted file. |
| 2026-04-13 | CVE-2025-60710 | high | ⌖KEV | 85 | Microsoft Windows is actively exploited for privilege escalation via CVE-2025-60710, a link-following flaw enabling unauthorized admin access. |
| 2026-03-18 | CVE-2026-20963 | high | ⚡RCE ⌖KEV | 85 | Microsoft SharePoint allows remote code execution via deserialization of untrusted data, confirmed as actively exploited. |
| 2026-05-20 | CVE-2009-1537 | high | ⚡RCE ⌖KEV | 65 | Microsoft DirectX contained a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter allowing remote code execution via crafted media files. |
| 2026-04-13 | CVE-2012-1854 | high | ⚡RCE ⌖KEV | 65 | Microsoft VBA allows remote code execution via insecure library loading, actively exploited and linked to ransomware. |
| 2026-04-13 | CVE-2023-21529 | critical | ⚡RCE ⌖KEV | 65 | Microsoft Exchange Server allows authenticated attackers to execute remote code via deserialization of untrusted data. |
| 2026-07-01 | CVE-2026-45659 | high | ⚡RCE ⌖KEV | 45 | Microsoft SharePoint Server allows remote code execution via deserialization of untrusted data. |
| 2026-05-20 | CVE-2026-41091 | high | ⌖KEV | 45 | Microsoft Defender allows local privilege escalation via link following, enabling unauthorized access to sensitive systems. |
| 2026-05-20 | CVE-2008-4250 | high | ⚡RCE ⌖KEV | 45 | Microsoft Windows Server Service buffer overflow vulnerability (CVE-2008-4250) enabled remote code execution via crafted RPC requests. |
| 2026-05-20 | CVE-2026-45498 | high | ⌖KEV | 45 | Microsoft Defender allows denial of service via unspecified vulnerability, impacting DIB systems reliant on endpoint protection. |
| 2026-05-20 | CVE-2010-0249 | high | ⚡RCE ⌖KEV | 45 | Microsoft Internet Explorer use-after-free vulnerability (CVE-2010-0249) allows remote code execution on EoL browsers. |
| 2026-05-15 | CVE-2026-42897 | high | ⌖KEV | 45 | Microsoft Exchange Server XSS vulnerability allows arbitrary JavaScript execution in Outlook Web Access browser context. |
| 2026-05-15 | CVE-2026-42897 | high | ⌖KEV | 45 | Microsoft Exchange Server XSS vulnerability allows arbitrary JavaScript execution in Outlook Web Access browser context. |
| 2026-04-28 | CVE-2026-32202 | high | ⚡RCE ⌖KEV | 45 | Microsoft Windows Shell allows network spoofing via a protection mechanism failure, enabling attackers to bypass authentication and execute commands. |
| 2026-04-14 | CVE-2026-32201 | high | ⌖KEV | 45 | Microsoft SharePoint Server is actively exploited via CVE-2026-32201, enabling network spoofing that threatens DIB data integrity and trust. |
| 2026-04-13 | CVE-2023-36424 | high | ⌖KEV | 45 | Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability enabling privilege escalation. |
| 2026-07-06 | CVE-2026-9182 | medium | ⚡RCE | 35 | ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload. |
| 2026-07-02 | CVE-2026-41106 | critical | 35 | Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. | |
| 2026-06-30 | CVE-2026-13780 | critical | 35 | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | |
| 2026-06-30 | CVE-2026-13775 | critical | 35 | Use after free in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | |
| 2026-06-30 | CVE-2026-13776 | critical | 35 | Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | |
| 2026-06-30 | CVE-2026-13782 | critical | 35 | Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | |
| 2026-06-30 | CVE-2026-13781 | critical | 35 | Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | |
| 2026-07-07 | CVE-2026-13020 | high | 25 | A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators sh | |
| 2026-07-03 | CVE-2026-57983 | high | 25 | Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | |
| 2026-07-02 | CVE-2026-26145 | medium | 20 | Improper access control in Azure Synapse allows an authorized attacker to elevate privileges over a network. | |
| 2026-07-10 | CVE-2026-57211 | medium | — | CVE-2026-57211: RabbitMQ is a messaging and streaming broker. Prior to 4.1.11 and 4.2.6 on Windo |
| Product | Status | Impact |
|---|---|---|
| Azure Commercial Cloud | Authorized | High |
| Azure Government (includes Dynamics 365) | Authorized | High |
| Microsoft Office 365 GCC High | In Process | High |
| Office 365 Multi-Tenant & Supporting Services | Authorized | Moderate |
Open questions: Impact of CVE-2026-13781/13780/13776/13775/13782 on DIB systems · Frequency of patching for CVE-2026-33825 and CVE-2026-41106