CISA Alert: Six New Vulnerabilities Added to KEV Catalog Following Active Exploitation

TL;DR: CISA has added six security flaws affecting Fortinet, Microsoft, and Adobe to its Known Exploited Vulnerabilities (KEV) catalog. These range from a critical SQL injection in FortiClient EMS to legacy issues in Microsoft Visual Basic. Federal agencies have until April 27, 2026, to apply necessary patches.

---

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding six flaws that are currently being weaponized by threat actors in the wild.

The update, issued this Monday, highlights a diverse range of security holes impacting enterprise software from Fortinet, Microsoft, and Adobe. Under the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these specific vulnerabilities by April 27, 2026.

High-Priority Fortinet Flaw Under Attack

Leading the list is CVE-2026-21643, a critical SQL injection vulnerability in Fortinet FortiClient EMS. With a CVSS score of 9.1, this flaw is particularly dangerous because it allow an unauthenticated attacker to execute unauthorized code or commands simply by sending specifically crafted HTTP requests.

According to cybersecurity firm Defused Cyber, exploitation attempts for this vulnerability have been detected as early as March 24, 2026.

Microsoft Vulnerabilities: From Ransomware to Privilege Escalation

Four of the six newly added flaws impact Microsoft products, covering a timeline that spans over a decade:

• CVE-2023-21529 (CVSS 8.8): A deserialization of untrusted data in Microsoft Exchange Server. Microsoft recently revealed that a threat actor tracked as Storm-1175 has been weaponizing this flaw to deliver Medusa ransomware.
• CVE-2023-36424 (CVSS 7.8): An out-of-bounds read vulnerability in the Windows Common Log File System (CLFS) Driver. This flaw can be used by attackers to achieve privilege escalation.
• CVE-2025-60710 (CVSS 7.8): An improper link resolution issue in the Host Process for Windows Tasks. Successful exploitation allows an authorized attacker to elevate their privileges locally.
• CVE-2012-1854 (CVSS 7.8): A "legacy" insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA). While originally disclosed years ago, Microsoft acknowledged "limited, targeted attacks" abusing this flaw as far back as July 2012.

Adobe Acrobat Reader Targeted for RCE

The final addition to the list is CVE-2020-9715, a use-after-free vulnerability affecting Adobe Acrobat Reader. This flaw could result in remote code execution (RCE) if a user is enticed into opening a malicious file.

Current Threat Landscape

While there is clear evidence of exploitation for the Fortinet, Exchange Server, and VBA vulnerabilities, public reports detailing the specific exploitation of CVE-2020-9715, CVE-2023-36424, and CVE-2025-60710 remain unavailable at this time.

The inclusion of these flaws in the KEV catalog serves as a stark reminder that attackers often leverage a mix of "zero-day" vulnerabilities and older, unpatched flaws to achieve their objectives.

Conclusion and Recommendations

The presence of these vulnerabilities in active attacks—especially the delivery of Medusa ransomware via Microsoft Exchange—underscores the need for immediate patching. Organizations, both in the public and private sectors, should prioritize these six vulnerabilities for remediation:

1. Fortinet FortiClient EMS (CVE-2026-21643)
2. Microsoft Exchange Server (CVE-2023-21529)
3. Adobe Acrobat Reader (CVE-2020-9715)
4. Windows CLFS Driver (CVE-2023-36424)
5. Host Process for Windows Tasks (CVE-2025-60710)
6. Microsoft VBA (CVE-2012-1854)

FCEB agencies must meet the April 27 deadline, but all security teams are encouraged to treat these as critical items in their patch management cycle.

---

Source: https://thehackernews.com/2026/04/cisa-adds-6-known-exploited-flaws-in.html