CISA adds six KEV entries

The Known Exploited Vulnerabilities list is the federal government’s shortlist of software flaws already being used in real attacks. On April 13, the Cybersecurity and Infrastructure Security Agency added seven more entries, spanning Microsoft, Adobe and Fortinet products. (cisa.gov) A vulnerability is a bug that can let an attacker run code, steal data or gain deeper access. The Known Exploited Vulnerabilities catalog only includes Common Vulnerabilities and Exposures, or CVEs, after the agency has evidence they are being exploited in the wild. (cisa.gov) The April 13 additions were CVE-2012-1854 in Microsoft Visual Basic for Applications, CVE-2023-21529 in Microsoft Exchange Server, CVE-2023-36424 and CVE-2025-60710 in Microsoft Windows, CVE-2026-21643 in Fortinet FortiClient Enterprise Management Server, and CVE-2020-9715 plus CVE-2026-34621 in Adobe Acrobat products. CISA said each had evidence of active exploitation. (cisa.gov) Several of the newly listed flaws can hand an attacker more control after an initial foothold. CISA’s catalog describes CVE-2023-36424 as an out-of-bounds read in the Windows Common Log File System Driver that could allow privilege escalation, and CVE-2025-60710 as a Windows link-following flaw that could also elevate privileges locally. (cisa.gov) (cve.org) Fortinet’s entry, CVE-2026-21643, is a Structured Query Language injection flaw in FortiClient Enterprise Management Server. CISA’s catalog says a crafted Hypertext Transfer Protocol request could let an unauthenticated attacker execute unauthorized code or commands, and Fortinet says version 7.4.4 should be upgraded to 7.4.5 or later. (cisa.gov) (fortiguard.fortinet.com) Adobe’s newest entry, CVE-2026-34621, affects Acrobat and Reader on Windows and macOS. Adobe published APSB26-43 on April 11 and said it was aware of exploitation in the wild; the company listed updated versions 26.001.21411 for the continuous track and 24.001.30362 on Windows or 24.001.30360 on macOS for Acrobat 2024 Classic. (helpx.adobe.com) The older Adobe flaw on the list, CVE-2020-9715, shows how long some attack paths can stay useful. Adobe disclosed that use-after-free bug in August 2020, and CISA added it to the exploitation catalog on April 13, 2026. (helpx.adobe.com) (cisa.gov) For federal civilian executive branch agencies, the catalog is not advisory. Binding Operational Directive 22-01 requires those agencies to fix listed flaws by CISA’s deadline, and the April 13 entries carry due dates of April 16 for the Fortinet flaw and April 27 for the Adobe and Microsoft entries shown in the catalog. (cisa.gov 1) (cisa.gov 2) CISA says private companies and state and local governments should use the same list to rank patching work, even though the directive does not bind them. The practical signal in each new entry is simple: these are not theoretical bugs, and defenders now have a narrower list to check first. (cisa.gov)