CVE-2026-5281 in Microsoft Product: Actively Exploited, CISA KEV Added

📅 April 03, 2026 🔴 Exploit Risk: 0.512 📊 Intelligence Score: 68/100 📰 50 sources synthesized

TL;DR — Read this first

CVE-2026-5281 is a high-severity (CVSS 7.5) vulnerability in an unspecified Microsoft product.
CONFIRMED: The vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on 2026-04-01, indicating active, in-the-wild exploitation.
Immediate investigation and preparation for patching are required for all potentially affected systems due to confirmed exploitation.

Intelligence Metadata

First Reported Bynvd.nist.gov

Outbreak Velocity1500 minutes spread to 3 unique domains

Consensus50 articles across 3 unique domains

CVSS Score7.5

EPSS Score0.0303 (3.03rd percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.5121

Race LabelZERO-DAY RACE

Technical Analysis

Specific technical details for CVE-2026-5281, including the vulnerability class and attack vector, are not available in the provided intelligence. The vulnerability carries a CVSS base score of 7.5 (High). Its inclusion in the CISA KEV catalog is the primary indicator of risk, confirming it is being used as an ingress point by threat actors in active campaigns. The intelligence cluster also references other critical Microsoft vulnerabilities, such as CVE-2026-4370 (CVSS 10.0), but CVE-2026-5281 is the only one with confirmed evidence of exploitation. The lack of public technical details, combined with the 'ZERO-DAY RACE' designation, suggests exploitation may have occurred before a patch was available, placing defenders in a reactive posture.

Affected Systems

Vendor: Microsoft

Affected Versions:

Unspecified Microsoft Product

Exposure: Not available

Blast Radius: Not available

Intelligence Context

CVE-2026-5281 represents a clear and present danger that requires immediate attention. The most critical data point is its status on the CISA KEV catalog, which serves as definitive evidence of active exploitation. This overrides the relatively low EPSS score (3.03%), which would otherwise predict a low likelihood of exploitation. The 'ZERO-DAY RACE' label, with KEV addition just two days prior to this report, indicates that defenders have a very short window to respond before widespread exploitation occurs. The low vendor risk score (0.23) is inconsistent with the observed threat activity and should be disregarded. Prioritization must be based on the KEV status alone.

Remediation & Defense

Investigate all potentially exposed assets for signs of compromise immediately. Prepare for emergency patching as soon as a security update is released by Microsoft.

Patch Status: Not available

Patch Version: Not available

Workarounds:

Not available

Detection Hints:

Monitor for anomalous activity on systems running potentially affected Microsoft products.
Review logs for any indicators of compromise related to unspecified ingress vectors.

Source Timeline

nvd.nist.gov — First reporter
cisa.gov — KEV catalog confirmation

CVE-2026-5281 microsoft vulnerability kev zero-day race