CISA adds KEV items; Microsoft’s big Patch Tuesday

The U.S. cyber agency and Microsoft both moved on April 14: the Cybersecurity and Infrastructure Security Agency added newly exploited bugs to its must-fix list, and Microsoft shipped one of its biggest monthly security updates on record. (cisa.gov) (krebsonsecurity.com) The Cybersecurity and Infrastructure Security Agency, or CISA, said federal civilian agencies must remediate Known Exploited Vulnerabilities catalog entries on deadline under Binding Operational Directive 22-01, and it urges private organizations to use the catalog to prioritize patching because the listed flaws have been exploited in the wild. (cisa.gov 1) (cisa.gov 2) CISA’s public advisory feed shows a burst of catalog additions this week, including alerts for seven vulnerabilities on April 13 and two more on April 14, after separate one-item additions on April 6 and April 8. (cisa.gov) A software vulnerability is a coding mistake that can let outsiders break in, raise privileges, or run commands, and the Known Exploited Vulnerabilities list is CISA’s shorter queue of bugs with evidence of real-world attacks. (cisa.gov) That matters because defenders are not choosing from every disclosed bug; they are choosing from the subset attackers are already using. CISA says the catalog is meant to tell agencies and companies which flaws are causing “immediate harm” based on adversary activity. (cisa.gov) Fortinet’s own advisories show why configuration details matter. One April focus area was a FortiOS authentication bypass tied to TACACS+ setups that use ASCII authentication, while Fortinet said PAP, MSCHAP, CHAP, and the default auto setting were not affected. (fortiguard.com) Fortinet also published fixes for a separate certificate-validation flaw in FortiOS and FortiSASE, with patched versions including FortiOS 7.6.2 and 7.4.8. (fortiguard.com) Microsoft’s April 14 Patch Tuesday was unusually large. KrebsOnSecurity reported 167 fixed vulnerabilities, while Tenable counted 163 Microsoft CVEs and said its total excludes two non-Microsoft entries that appeared in Microsoft’s release. (krebsonsecurity.com) (tenable.com) Tenable said the April release included two zero-days, with one exploited in the wild, and identified the exploited issue as CVE-2026-32201. Krebs reported the same release included a SharePoint Server zero-day and a publicly disclosed Microsoft Defender weakness known as BlueHammer. (tenable.com) (krebsonsecurity.com) Cisco Talos counted 165 vulnerabilities in the same Microsoft release and highlighted a critical Windows Internet Key Exchange bug, CVE-2026-33824, that could allow remote code execution if Internet Key Exchange version 2 is exposed on UDP ports 500 or 4500. (blog.talosintelligence.com) The count differences do not change the immediate workload for defenders. CISA’s catalog says which bugs are already being used, and Microsoft’s April release gives administrators a large batch of fixes to test and deploy across Windows, SharePoint, Office, and security tools. (cisa.gov) (krebsonsecurity.com)