CISA adds KEV entries
CISA added six known exploited vulnerabilities affecting Fortinet, Microsoft and Adobe to its Known Exploited Vulnerabilities catalogue, with federal agencies required to remediate by April 27. The additions highlight a small set of high‑priority flaws that demand coordinated identification, testing and scheduling across owners. (thehackernews.com)
The Cybersecurity and Infrastructure Security Agency added nine more actively exploited software flaws to its Known Exploited Vulnerabilities list on April 13 and April 14, setting patch deadlines as soon as April 16. (cisa.gov) The April 13 batch covered seven bugs: Adobe Acrobat flaws tracked as CVE-2020-9715 and CVE-2026-34621, a Fortinet FortiClient Enterprise Management Server flaw tracked as CVE-2026-21643, and four Microsoft flaws in Visual Basic for Applications, Exchange Server, Windows, and Windows link handling. (cisa.gov) On April 14, the agency added two more Microsoft flaws: CVE-2009-0238 in Microsoft Office and CVE-2026-32201 in Microsoft SharePoint Server. Federal Civilian Executive Branch agencies must fix both by April 28. (cisa.gov) The Known Exploited Vulnerabilities catalog is the federal government’s running list of bugs that attackers are already using in real intrusions, not a general list of every severe software defect. CISA says it adds entries when it has reliable evidence that a threat actor is actively exploiting them. (cisa.gov) That list carries deadlines because of Binding Operational Directive 22-01, a November 3, 2021 order that requires federal civilian agencies to remediate listed flaws on a set timetable. The directive applies across agency systems run on premises or by third parties on an agency’s behalf. (cisa.gov) The shortest deadline in this round is for Fortinet’s CVE-2026-21643. CISA’s catalog gives agencies until April 16, and Fortinet said the FortiClient Enterprise Management Server SQL injection bug can let an unauthenticated attacker execute unauthorized code or commands through crafted Hypertext Transfer Protocol requests. (cisa.gov) (fortiguard.fortinet.com) Adobe’s newer flaw, CVE-2026-34621, was disclosed in bulletin APSB26-43 on April 11. Adobe said successful exploitation in Acrobat and Reader on Windows and macOS could lead to arbitrary code execution and that it was aware of exploitation in the wild. (helpx.adobe.com) Adobe’s older flaw, CVE-2020-9715, dates to an August 11, 2020 bulletin for Acrobat and Reader. Adobe said that bug could also lead to arbitrary code execution in the context of the current user, which helps explain why older defects can reappear on urgent remediation lists when unpatched systems remain in use. (helpx.adobe.com) CISA’s catalog now lists 1,566 vulnerabilities, and each entry tells agencies whether to apply vendor mitigations, follow cloud guidance, or discontinue use if no fix is available. The agency also says organizations outside the federal directive should still use the catalog to prioritize patching. (cisa.gov) For security teams, the immediate task is narrower than a full patch cycle: find the named products, confirm exposure, test vendor fixes, and meet the federal due dates. For everyone else, the catalog remains a short list of flaws that have already moved from theory to real attacks. (cisa.gov)
