Microsoft closed out the year with 1,139 total defects patched, making it the second-largest year in volume behind 2020, according to Trend Micro.

The Ivy League school said it was one of almost 100 organizations hit by the simultaneous attacks in August.

The newspaper said a “bad actor” contacted the company in late September, prompting an investigation that nearly a month later confirmed the extent of compromise.

The vendors disclosed and patched the defects last summer, but not before advanced attackers exploited the vulnerabilities to likely gain prolonged access for espionage, according to Amazon.

Researchers warn that although exploitation of the zero-day is complex, a functional exploit exists in the wild.

The digital engineering services firm said human resources data on nearly 10,500 current and former employees was exposed.

Researchers said malicious activity dates back to early July and active exploitation was observed two months ago.

The notorious ransomware group exploited multiple vulnerabilities, including a zero-day, for at least eight weeks before alleged victims received extortion demands.

The agency, which issued an emergency directive to federal agencies Thursday, said it took months to determine the root cause and mitigate the activity.

Cisco said it was investigating state-sponsored espionage attacks in May. CISA did not explain why it waited four months to issue an emergency directive.