Hackers are actively exploiting a zero day vulnerability in Internet Explorer, prompting a warning from the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA).

“Microsoft is aware of limited targeted attacks” in a remote code execution (RCE) vulnerability [CVE-2020-0674] in the scripting engine of Internet Explorer across all versions of Windows that would let a hacker obtain the same rights as a current user, Microsoft warned Friday.

“If the current user is
logged on with administrative user rights, an attacker who successfully
exploited the vulnerability could take control of an affected system,” the company
said.

Attackers
could then do things like install programs, manipulate data or even create new
accounts to which they’d have full user rights. “In a web-based attack
scenario, an attacker could host a specially crafted website that is designed
to exploit the vulnerability through Internet Explorer and then convince a user
to view the website, for example, by sending an email,” Microsoft explained.

CISA’s
warning came on the heels of Microsoft’s advisory. The agency recommended
“users and administrators to review Microsoft’s
Advisory ADV20001 and
CERT/CC’s Vulnerability Note VU#338824 for
more information, implement workarounds, and apply updates when available” and
urged them to “consider using Microsoft Edge or an alternate browser until
patches are made available.”