Microsoft said three of the exploited vulnerabilities were publicly known, suggesting attackers already had details about the defects prior to Tuesday’s release.

Researchers said the information disclosure zero-day exposes sensitive information that attackers can use to undermine defenses and make other exploits more reliable.

Cisco has yet to release a patch for the actively exploited vulnerability, and attacks have been underway since at least late November.

Microsoft closed out the year with 1,139 total defects patched, making it the second-largest year in volume behind 2020, according to Trend Micro.

A debate over actual exploitation is muddying response efforts. Multiple researchers say they’ve observed working proof of concepts while others assert evidence of attacks is lacking.

Researchers warn that although exploitation of the zero-day is complex, a functional exploit exists in the wild.

The tech giant doesn’t provide details about the severity of vulnerabilities it discloses, but none of the new defects are under active attack.

The company is ahead of pace, disclosing about 100 more vulnerabilities at this point in the year than it did in 2024, according to a researcher.

Operation Serengeti 2.0 dismantled almost 11,500 malicious infrastructures between June and August. Officials arrested more than 1,200 alleged cybercriminals.

The software defects, which have a maximum-severity rating, do not require authentication and allow remote attackers to execute code arbitrarily on the underlying system.