CISA adds six KEV flaws
The U.S. Cybersecurity and Infrastructure Security Agency added six actively exploited vulnerabilities — including issues in Fortinet, Microsoft Exchange Server and Windows CLFS — to its Known Exploited Vulnerabilities catalog and set a federal patch deadline of April 27, 2026. The bulletin specifically warned of an actively exploited Fortinet SQL injection and other widely used products that require rapid remediation and evidence of fixes. (thehackernews.com)
A software flaw is a bug attackers can turn into a break-in, and the Cybersecurity and Infrastructure Security Agency just flagged seven more that are already being used in real attacks. One of them, a Fortinet FortiClient Enterprise Management Server bug, carries a patch deadline of April 16 for federal agencies. (cisa.gov) The April 13 update added seven entries to the Known Exploited Vulnerabilities catalog: two Adobe Acrobat bugs, three Microsoft bugs, one Fortinet bug and one older Microsoft Visual Basic for Applications bug. The list includes Microsoft Exchange Server remote code execution, a Windows Common Log File System driver flaw and a Windows task host privilege-escalation bug. (cisa.gov) The Fortinet issue is CVE-2026-21643, a structured query language injection bug in FortiClient Enterprise Management Server. Fortinet said an unauthenticated attacker can use crafted Hypertext Transfer Protocol requests to execute unauthorized code or commands, and said the flaw has been exploited in the wild. (fortiguard.fortinet.com) Structured query language injection is a way of slipping malicious database commands into a web request, like handing a clerk a fake form that changes the filing cabinet instead of just reading it. In this case, CISA set a faster April 16 due date for federal civilian agencies, while the other six April 13 additions carry an April 27 deadline. (cisa.gov) The Known Exploited Vulnerabilities catalog is CISA’s running list of bugs with evidence of real-world exploitation, not just lab proof or theoretical risk. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must fix listed flaws by CISA’s due date or stop using the affected product if no mitigation exists. (cisa.gov) That matters for Exchange Server because it remains widely deployed for on-premises email, and CISA’s new entry says CVE-2023-21529 lets an authenticated attacker achieve remote code execution through unsafe data deserialization. The National Vulnerability Database describes it as a Microsoft Exchange Server remote code execution vulnerability. (cisa.gov) (nvd.nist.gov) It also matters for Windows because two of the new entries are privilege-escalation bugs, which attackers often use after an initial foothold to take fuller control of a machine. The National Vulnerability Database says CVE-2025-60710 affects Host Process for Windows Tasks through improper link resolution before file access, and CISA’s catalog says CVE-2023-36424 is a Windows Common Log File System driver flaw. (nvd.nist.gov) (cisa.gov) The Windows Common Log File System is a built-in logging component that helps programs record events, like a system notebook the operating system trusts. Microsoft said a different actively exploited Common Log File System zero-day, CVE-2025-29824, was used by a ransomware actor to elevate privileges after compromise, showing why these bugs keep getting urgent attention. (microsoft.com) CISA says the directive applies only to federal civilian agencies, but it “strongly urges all organizations” to prioritize fixes for Known Exploited Vulnerabilities as part of routine patching. For network defenders, the practical change is simple: these seven bugs moved from “should patch” to “patch on deadline.” (cisa.gov)
