COOEY // HUBcompliance · community · intelligence

FAIL › dossier

Microsoft company FedRAMP market

FedRAMP provider · · dossier confidence 40%

Microsoft is a public technology giant with a heavy security footprint, but its internal failure history reveals a critical track record of repeated RCE and privilege escalation vulnerabilities across Windows, Office, and cloud services. Recent breaches via Entra SSO and critical flaws in Defender and Exchange indicate significant risks for DIB/CMMC environments.

28
failure events
0
zero-days
11
RCEs
17
on KEV
8
critical
85
worst shame

Profile

Category
Technology Vendor
What they do
Microsoft Corporation develops and supports software, services, devices, and solutions worldwide, including the Microsoft 365 productivity suite, Windows operating system, and Azure cloud platform.
Ownership
Public
Website
https://www.microsoft.com

Security posture

Microsoft maintains a high volume of critical and high-severity vulnerabilities across its product portfolio, with a pattern of repeated RCE and privilege escalation flaws in core products like Windows, Exchange, and Defender. Recent incidents include a ShinyHunters breach via Microsoft Entra SSO, indicating significant SSO and authentication control weaknesses.

Notable failures
  • ShinyHunters breach via Microsoft Entra SSO (Jan 2026)
  • CVE-2026-33825: Defender local privilege escalation (Apr 2026)
  • CVE-2026-45659: SharePoint RCE via deserialization (Jul 2026)
  • CVE-2026-13781: Chrome sandbox escape (Jun 2026)
  • CVE-2026-57983: Edge Chromium privilege bypass (Jul 2026)
  • CVE-2026-41106: M365 Copilot open redirect (Jul 2026)
Patterns
Repeated RCE in Office/Exchange/SharePoint; Privilege escalation via unpatched Windows components; SSO/Authentication bypasses (Entra); Browser sandbox escape vulnerabilities

Failure history 29 events

DateEventSevFlagsShameSummary
2026-05-20 CVE-2010-0806 high ⚡RCE ⌖KEV 85 Microsoft Internet Explorer use-after-free vulnerability enables remote code execution on EoL browsers.
2026-04-22 CVE-2026-33825 critical ⌖KEV 85 Microsoft Defender allows local privilege escalation via insufficient access control granularity, enabling ransomware-linked attackers to bypass security controls.
2026-04-14 CVE-2009-0238 high ⚡RCE ⌖KEV 85 Microsoft Office Excel contains a remote code execution vulnerability that allows attackers to take complete control of a system by opening a specially crafted file.
2026-04-13 CVE-2025-60710 high ⌖KEV 85 Microsoft Windows is actively exploited for privilege escalation via CVE-2025-60710, a link-following flaw enabling unauthorized admin access.
2026-03-18 CVE-2026-20963 high ⚡RCE ⌖KEV 85 Microsoft SharePoint allows remote code execution via deserialization of untrusted data, confirmed as actively exploited.
2026-05-20 CVE-2009-1537 high ⚡RCE ⌖KEV 65 Microsoft DirectX contained a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter allowing remote code execution via crafted media files.
2026-04-13 CVE-2012-1854 high ⚡RCE ⌖KEV 65 Microsoft VBA allows remote code execution via insecure library loading, actively exploited and linked to ransomware.
2026-04-13 CVE-2023-21529 critical ⚡RCE ⌖KEV 65 Microsoft Exchange Server allows authenticated attackers to execute remote code via deserialization of untrusted data.
2026-07-01 CVE-2026-45659 high ⚡RCE ⌖KEV 45 Microsoft SharePoint Server allows remote code execution via deserialization of untrusted data.
2026-05-20 CVE-2026-41091 high ⌖KEV 45 Microsoft Defender allows local privilege escalation via link following, enabling unauthorized access to sensitive systems.
2026-05-20 CVE-2008-4250 high ⚡RCE ⌖KEV 45 Microsoft Windows Server Service buffer overflow vulnerability (CVE-2008-4250) enabled remote code execution via crafted RPC requests.
2026-05-20 CVE-2026-45498 high ⌖KEV 45 Microsoft Defender allows denial of service via unspecified vulnerability, impacting DIB systems reliant on endpoint protection.
2026-05-20 CVE-2010-0249 high ⚡RCE ⌖KEV 45 Microsoft Internet Explorer use-after-free vulnerability (CVE-2010-0249) allows remote code execution on EoL browsers.
2026-05-15 CVE-2026-42897 high ⌖KEV 45 Microsoft Exchange Server XSS vulnerability allows arbitrary JavaScript execution in Outlook Web Access browser context.
2026-05-15 CVE-2026-42897 high ⌖KEV 45 Microsoft Exchange Server XSS vulnerability allows arbitrary JavaScript execution in Outlook Web Access browser context.
2026-04-28 CVE-2026-32202 high ⚡RCE ⌖KEV 45 Microsoft Windows Shell allows network spoofing via a protection mechanism failure, enabling attackers to bypass authentication and execute commands.
2026-04-14 CVE-2026-32201 high ⌖KEV 45 Microsoft SharePoint Server is actively exploited via CVE-2026-32201, enabling network spoofing that threatens DIB data integrity and trust.
2026-04-13 CVE-2023-36424 high ⌖KEV 45 Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability enabling privilege escalation.
2026-07-06 CVE-2026-9182 medium ⚡RCE 35 ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload.
2026-07-02 CVE-2026-41106 critical 35 Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.
2026-06-30 CVE-2026-13780 critical 35 Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-13775 critical 35 Use after free in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-13776 critical 35 Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-13782 critical 35 Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-13781 critical 35 Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-07-07 CVE-2026-13020 high 25 A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators sh
2026-07-03 CVE-2026-57983 high 25 Improper authorization in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
2026-07-02 CVE-2026-26145 medium 20 Improper access control in Azure Synapse allows an authorized attacker to elevate privileges over a network.
2026-07-10 CVE-2026-57211 medium CVE-2026-57211: RabbitMQ is a messaging and streaming broker. Prior to 4.1.11 and 4.2.6 on Windo

FedRAMP catalog products 4

ProductStatusImpact
Azure Commercial Cloud Authorized High
Azure Government (includes Dynamics 365) Authorized High
Microsoft Office 365 GCC High In Process High
Office 365 Multi-Tenant & Supporting Services Authorized Moderate

Dossier sources

Open questions: Impact of CVE-2026-13781/13780/13776/13775/13782 on DIB systems · Frequency of patching for CVE-2026-33825 and CVE-2026-41106