CISA expands KEV list
The U.S. Cybersecurity and Infrastructure Security Agency added multiple flaws to its Known Exploited Vulnerabilities catalogue and ordered federal agencies to remediate them on tight deadlines. The additions on April 14 covered Adobe, Fortinet, Microsoft Windows and Exchange Server, with many fixes due by April 27. Check Point Research separately warned of active exploitation against Ivanti Endpoint Manager Mobile (CVE‑2026‑1340), calling it capable of unauthenticated remote code execution. (securityaffairs.com) (research.checkpoint.com)
The United States Cybersecurity and Infrastructure Security Agency added seven actively exploited software flaws to its Known Exploited Vulnerabilities catalog on April 13 and gave federal agencies days to fix some of them. (cisa.gov) The new entries cover Adobe Acrobat, Adobe Acrobat and Reader, Fortinet FortiClient Enterprise Management Server, Microsoft Exchange Server, Microsoft Visual Basic for Applications, and Microsoft Windows. The listed flaws include CVE-2026-34621, CVE-2026-21643, CVE-2023-21529, CVE-2023-36424, CVE-2025-60710, CVE-2020-9715, and CVE-2012-1854. (cisa.gov) CISA’s catalog is the federal government’s running list of bugs that attackers are already using in real networks, not just weaknesses that might be abused someday. Under Binding Operational Directive 22-01, federal civilian executive branch agencies must remediate each cataloged flaw by the deadline CISA assigns. (cisa.gov 1) (cisa.gov 2) The deadlines in this batch are short. CISA’s catalog shows Fortinet FortiClient Enterprise Management Server flaw CVE-2026-21643 is due April 16, while Adobe CVE-2026-34621 and CVE-2020-9715 are due April 27. (cisa.gov) The catalog entry for CVE-2026-34621 says Adobe Acrobat and Reader contain a prototype pollution flaw that allows arbitrary code execution. The Fortinet entry for CVE-2026-21643 says a SQL injection bug in FortiClient Enterprise Management Server may let an unauthenticated attacker run unauthorized code or commands through crafted Hypertext Transfer Protocol requests. (cisa.gov) CISA says it adds vulnerabilities only when three conditions are met: a Common Vulnerabilities and Exposures identifier exists, there is reliable evidence of active exploitation, and a clear remediation action is available. The agency says organizations outside the federal government should also use the catalog to set patching priorities. (cisa.gov) Check Point Research reported a separate actively exploited Ivanti flaw on April 13. Its threat bulletin said CVE-2026-1340 in Ivanti Endpoint Manager Mobile allows unauthenticated remote code execution and “full compromise” of affected servers, carries a 9.8 severity score, and affects multiple 12.5 through 12.7 releases. (research.checkpoint.com) That Ivanti issue was not part of CISA’s April 13 seven-flaw announcement, but it points to the same pressure on defenders: internet-facing management tools are still landing on urgent patch lists. CISA says the Known Exploited Vulnerabilities catalog is meant to help defenders focus on the smaller set of bugs causing immediate harm. (cisa.gov 1) (cisa.gov 2)
