CISA adds six exploited flaws

The Cybersecurity and Infrastructure Security Agency on April 13 added seven actively exploited software flaws to its Known Exploited Vulnerabilities list and told federal agencies to patch on deadlines that run as early as April 16. (cisa.gov) The new entries span Microsoft Windows, Microsoft Exchange Server, Adobe Acrobat, Adobe Acrobat and Reader, and Fortinet FortiClient Enterprise Management Server. CISA listed CVE-2012-1854, CVE-2020-9715, CVE-2023-21529, CVE-2023-36424, CVE-2025-60710, CVE-2026-21643, and CVE-2026-34621 on April 13. (cisa.gov) Most of the new entries carry an April 27 remediation deadline for Federal Civilian Executive Branch agencies, but the Fortinet flaw, CVE-2026-21643, has an earlier April 16 due date in CISA’s catalog. CISA’s catalog entry describes that Fortinet bug as a SQL injection issue in FortiClient Enterprise Management Server that can let an unauthenticated attacker run unauthorized code or commands through crafted Hypertext Transfer Protocol requests. (cisa.gov) A vulnerability is a software bug; a “known exploited” vulnerability is one attackers are already using in real intrusions. CISA says it adds flaws to the catalog only when a bug has a Common Vulnerabilities and Exposures identifier, reliable evidence of exploitation in the wild, and a clear vendor fix or mitigation. (cisa.gov) That catalog drives federal patching because Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to fix listed flaws by CISA’s due date. CISA says private companies, state and local governments, tribal governments, and territorial governments should also use the list to prioritize patching, even though the directive does not legally bind them. (cisa.gov; cisa.gov) The Adobe entries cover two different code-execution paths: CVE-2020-9715 in Acrobat and CVE-2026-34621 in Acrobat and Reader. The Microsoft entries include one flaw in Exchange Server, two in Windows, and one in Visual Basic for Applications, according to CISA’s April 13 alert. (cisa.gov; cisa.gov) CISA describes CVE-2023-36424 as an out-of-bounds read in the Windows Common Log File System driver that could let an attacker gain higher privileges. The catalog describes CVE-2025-60710 as a Windows link-following bug, a class of flaw that can let a program be tricked into touching the wrong file or path. (cisa.gov) Fortinet has separately warned that attackers were exploiting other Fortinet products earlier this year, including CVE-2026-24858, an authentication-bypass flaw that led the company to disable FortiCloud single sign-on on January 26 before restoring service on January 27 with protections for patched devices. That January case is separate from the FortiClient Enterprise Management Server flaw CISA added on April 13, but it shows how quickly internet-facing management tools can become targets. (cisa.gov) CISA’s catalog now contains more than 1,500 entries, and the agency calls it the authoritative federal list of vulnerabilities being exploited in the wild. For security teams, the April 13 update turns seven old and new bugs into immediate patching work with fixed federal deadlines. (cisa.gov; cisa.gov)