The US cybersecurity agency CISA on Thursday warned that recently disclosed SolarWinds, Notepad++, and Apple vulnerabilities have been exploited in the wild.
Tracked as CVE-2025-40536 (CVSS score of 8.1) and disclosed at the end of January, the SolarWinds flaw is described as a security control bypass in Web Help Desk (WHD) that could allow unauthenticated attackers to access restricted functionality.
The security defect was found and reported by Horizon3.ai, which warned that it could be exploited to create a valid AjaxProxy instance, allowing attackers to exploit additional bugs to achieve remote code execution (RCE).
On Thursday, CISA added CVE-2025-40536 to its Known Exploited Vulnerabilities (KEV) list, urging federal agencies to patch it within three days.
The agency has not shared details on the observed exploitation, but its warning comes a week after Microsoft said that CVE-2025-40536 might have been exploited as a zero-day in an attack observed in December 2025.
The tech giant said that CVE-2025-40551, another fresh WHD issue that was added to CISA’s KEV list last week, might have been targeted as a zero-day as well, in the same attack.
Another zero-day added to CISA’s KEV list on Thursday is CVE-2026-20700, a buffer overflow vulnerability that Apple has just patched, warning it has been exploited in an extremely sophisticated attack.
Another newly disclosed vulnerability that has made it to CISA’s KEV list is CVE-2025-15556, an update integrity verification flaw in Notepad++ patched in early February.
Rooted in the lack of cryptographic verification of downloaded update metadata and installers, the issue affects Notepad++ deployments using the WinGUp updater and could allow attackers to intercept update traffic and supply modified installers, achieving arbitrary code execution.
China-linked hackers were seen exploiting the flaw for initial access in attacks that likely started in June 2025. Rapid7 has attributed the campaign to the cyberespionage group tracked as Lotus Blossom.
The fourth CVE added to CISA’s KEV list on Thursday is CVE-2024-43468, a critical-severity RCE flaw in Microsoft Configuration Manager that was resolved in October 2024.
It is described as an SQL injection bug that can be exploited without authentication or user interaction via specially crafted requests.
Proof-of-concept (PoC) code targeting CVE-2024-43468 has been publicly available for over a year, but there appear to have been no reports of it being exploited in attacks prior to CISA’s warning.
CISA has given federal agencies three weeks to apply patches for the Apple, Microsoft, and Notepad++ vulnerabilities.
Related: Chrome 145 Patches 11 Vulnerabilities
Related: Chipmaker Patch Tuesday: Over 80 Vulnerabilities Addressed by Intel and AMD
Related: 6 Actively Exploited Zero-Days Patched by Microsoft With February 2026 Updates
Related: Critical SmarterMail Vulnerability Exploited in Ransomware Attacks
