CISA Adds Six Exploited Vulnerabilities to KEV Catalog

-


 

CISA Adds 6 Known Exploited Vulnerabilities to KEV Catalog

On April 14, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six security vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild. These flaws impact Fortinet, Microsoft, and Adobe products commonly used across enterprise and government environments. 

Federal Civilian Executive Branch (FCEB) agencies are required to remediate all six flaws by April 27, 2026, under Binding Operational Directive (BOD) 22‑01. CISA strongly urges private‑sector organizations to do the same. 

Vulnerabilities Added (April 14, 2026)

  1. CVE‑2026‑21643 – Fortinet FortiClient EMS
    SQL Injection (CVSS 9.1)
    Allows unauthenticated remote code execution via crafted HTTP requests.
    ▶ Exploitation observed since March 24, 2026.

  2. CVE‑2020‑9715 – Adobe Acrobat Reader
    Use‑after‑free (CVSS 7.8)
    Enables remote code execution when malicious PDF files are opened.

  3. CVE‑2023‑36424 – Windows Common Log File System (CLFS)
    Out‑of‑bounds read (CVSS 7.8)
    Leads to local privilege escalation.

  4. CVE‑2023‑21529 – Microsoft Exchange Server
    Deserialization of untrusted data (CVSS 8.8)
    Enables authenticated remote code execution.
    ▶ Exploited by threat actor Storm‑1175 to deploy Medusa ransomware.

  5. CVE‑2025‑60710 – Host Process for Windows Tasks
    Improper link resolution (CVSS 7.8)
    Allows local privilege escalation.

  6. CVE‑2012‑1854 – Microsoft Visual Basic for Applications (VBA)
    Insecure library loading (CVSS 7.8)
    Can result in remote code execution; Microsoft previously acknowledged targeted attacks.

Why This Matters

  • KEV inclusion means real‑world exploitation, not theoretical risk.
  • Several flaws enable ransomware deployment or full system compromise.
  • The mix of new and legacy vulnerabilities highlights ongoing patch‑management gaps across environments.
  • Exchange and Fortinet flaws are especially concerning due to their enterprise and internet‑facing use cases.

CISA reiterates that KEV vulnerabilities represent the highest‑priority patching items for defenders. [cisa.gov]

Recommended Actions

  • Immediately patch all affected systems (do not wait until April 27).
  • Prioritize:
    • Internet‑facing Fortinet FortiClient EMS servers
    • Microsoft Exchange servers
    • Endpoints running Adobe Acrobat Reader
  • Hunt for indicators of compromise (IOCs) tied to Medusa ransomware and Fortinet exploitation campaigns.
  • Ensure older vulnerabilities (like CVE‑2012‑1854) are not overlooked in legacy systems.

Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more