Security vendor will not say if attackers are already actively exploiting the flaw, as some reports have claimed.