CISA on Monday added six security flaws to its Known Exploited Vulnerabilities catalog after finding evidence of active exploitation, including issues in Fortinet, Adobe and Microsoft products. The list covers bugs with CVSS scores ranging from 7.8 to 9.1, and federal civilian agencies must apply fixes by April 27, 2026, with one FortiClient EMS patch due by April 16, 2026.
KEY FACTS
- Catalog update CISA added six flaws to the Known Exploited Vulnerabilities catalog because of active exploitation.
- Top severity CVE-2026-21643 in Fortinet FortiClient EMS carries a CVSS score of 9.1.
- Targets The list also includes Adobe Acrobat Reader, Microsoft Windows, Exchange Server and VBA.
- Deadline Federal civilian agencies have until April 27, 2026 to remediate most of the flaws.
The CISA alert says CVE-2026-21643 can let an unauthenticated attacker execute unauthorized code or commands through crafted HTTP requests. The same update lists CVE-2020-9715, a use-after-free bug in Adobe Acrobat Reader that could lead to remote code execution.
Other entries include CVE-2023-36424 in the Windows Common Log File System Driver, which could enable privilege escalation, and CVE-2023-21529 in Exchange Server, which could allow remote code execution for an authenticated attacker. The catalog also includes CVE-2025-60710, a local privilege escalation issue in Host Process for Windows Tasks, and CVE-2012-1854 in Microsoft Visual Basic for Applications, which could result in remote code execution.
Defused Cyber said it detected exploitation attempts against the FortiClient EMS flaw starting March 24, 2026. Microsoft said last week that a threat actor it tracks as Storm-1175 has been using CVE-2023-21529 to deliver Medusa ransomware, while its 2012 advisory said it was aware of limited, targeted attacks against CVE-2012-1854.
No public reports were cited for exploitation of the other three flaws. The update expands the list of bugs that U.S. agencies are expected to patch quickly when active attacks are identified.
WHY IT MATTERS
Placement in the KEV catalog can force faster remediation across federal agencies and often signals a higher risk that the vulnerabilities are being used in the wild. The update also shows that older flaws can remain relevant long after disclosure if they continue to be targeted.