CISA Flags 6 Actively Exploited Vulnerabilities Across Fortinet, Microsoft, and Adobe
New KEV additions highlight real-world attacks targeting enterprise software and critical systems
The Cybersecurity and Infrastructure Security Agency (CISA) has added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This move confirms that attackers are actively exploiting these flaws in real-world environments.
The vulnerabilities impact widely used technologies from Fortinet, Microsoft, and Adobe. As a result, organizations must treat this update as a high-priority security alert.
Key Vulnerabilities Identified
CISA highlighted the following critical vulnerabilities:
- CVE-2026-21643 (CVSS 9.1)
An SQL injection flaw in FortiClient EMS. Attackers can execute unauthorized commands using crafted HTTP requests. - CVE-2020-9715 (CVSS 7.8)
A use-after-free issue that allows remote code execution through malicious files. - CVE-2023-36424 (CVSS 7.8)
An out-of-bounds read flaw in Windows that enables privilege escalation. - CVE-2023-21529 (CVSS 8.8)
A deserialization flaw that allows authenticated attackers to execute code remotely. - CVE-2025-60710 (CVSS 7.8)
A link resolution issue that allows local privilege escalation. - CVE-2012-1854 (CVSS 7.8)
An older vulnerability still used in targeted attacks for remote code execution.
Active Exploitation Insights
The inclusion of CVE-2026-21643 follows reports from Defused Cyber, which detected exploitation attempts starting March 2026. This suggests rapid weaponization after disclosure.
Meanwhile, Microsoft confirmed that the threat group Storm-1175 has been exploiting CVE-2023-21529. The attackers use it to deploy Medusa ransomware in targeted campaigns.
Interestingly, even older vulnerabilities like CVE-2012-1854 remain relevant. Attackers continue to use legacy flaws where patching is incomplete.
Why This Matters
The KEV catalog is not just a list. It reflects vulnerabilities that attackers actively exploit today.
Therefore, inclusion in KEV signals immediate risk. Organizations that delay patching increase their exposure significantly.
Additionally, the mix of new and old vulnerabilities highlights a key issue. Many organizations still struggle with patch management and asset visibility.
What Organizations Should Do
- Prioritize patching for all KEV-listed vulnerabilities
- Identify exposed systems, especially internet-facing assets
- Monitor for unusual activity linked to these CVEs
- Strengthen vulnerability management programs
For government agencies, CISA has set a deadline of April 27, 2026, to apply fixes. However, private organizations should act even faster.
Regional Perspective (UAE & GCC)
Organizations in the UAE and GCC should take this update seriously. Many enterprises in the region rely on Microsoft, Fortinet, and Adobe products.
Therefore, these vulnerabilities present a direct risk to business operations. Attackers often reuse global exploits in regional campaigns.
A proactive patching strategy can significantly reduce exposure.