The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority update to its Known Exploited Vulnerabilities (KEV) Catalog, adding six vulnerabilities affecting widely used enterprise technologies.
This inclusion confirms active exploitation in real-world environments, with threat actors targeting endpoint management systems, email infrastructure, Windows components, and document processing software to achieve remote code execution (RCE), privilege escalation, and initial access for ransomware deployment.
Organizations leveraging these technologies should treat this as an immediate remediation priority.
Affected Technologies & Vulnerability Breakdown
Fortinet FortiClient EMS
- CVE: CVE-2026-21643
- Vulnerability Type: SQL Injection
A critical SQL injection flaw in FortiClient Endpoint Management Server (EMS) allows attackers to send specially crafted HTTP requests to execute arbitrary database queries.
Active exploitation has been observed since March 2026, indicating that attackers are actively scanning and weaponizing this vulnerability in the wild.
Adobe Acrobat Reader
- CVE: CVE-2020-9715
- Vulnerability Type: Use-After-Free
Description
A memory corruption flaw triggered when processing specially crafted PDF files.
Microsoft Windows Common Log File System (CLFS) Driver
- CVE: CVE-2023-36424
- Vulnerability Type: Out-of-Bounds Read
Description
Improper memory handling within the CLFS driver allows attackers to manipulate memory structures.
Microsoft Exchange Server
- CVE: CVE-2023-21529
- Vulnerability Type: Insecure Deserialization
Description
Improper handling of untrusted serialized data allows attackers to execute arbitrary code. This vulnerability is being actively weaponized by a threat actor tracked as Storm-1175, linked to ransomware deployment campaigns, including Medusa ransomware operations.
Windows Host Process for Tasks
- CVE: CVE-2025-60710
- Vulnerability Type: Improper Link Resolution
Description
Improper validation of file paths allows attackers to manipulate file access operations.
Microsoft Visual Basic for Applications (VBA)
- CVE: CVE-2012-1854
- Vulnerability Type: Insecure Library Loading
Description
A legacy vulnerability that allows malicious DLLs to be loaded by trusted applications.
Although originally disclosed in 2012, this vulnerability continues to be leveraged in targeted and modern attack chains, highlighting risks from unpatched legacy components.
Remediation Timeline
CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by: April 27, 2026
Organizations outside this scope are strongly advised to follow the same timeline due to confirmed exploitation activity.
Mitigations
Monitor for:
- Suspicious HTTP requests targeting Fortinet EMS
- Unusual processes on Exchange servers
- Abnormal privilege escalation activity on endpoints
Enable logging for:
- Authentication attempts
- Process creation events
- Network anomalies
Apply vendor security patches and updates across all affected systems.
Prioritize internet-facing and critical infrastructure assets.
Conduct enterprise-wide vulnerability scans.
.png)
.png)