The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Here is the list of vulnerabilities:
CVE-2026-21643 (CVSS Score: 9.1) – A SQL injection vulnerability in Fortinet FortiClient EMS could allow an unauthenticated attacker to execute malicious code or commands via a specially crafted HTTP request. CVE-2020-9715 (CVSS score: 7.8) – A use-after-free vulnerability in Adobe Acrobat Reader could lead to remote code execution. CVE-2023-36424 (CVSS Score: 7.8) – An out-of-bounds read vulnerability in the Microsoft Windows Common Log File System driver could lead to privilege escalation. CVE-2023-21529 (CVSS score: 8.8) – Untrusted data deserialization in Microsoft Exchange Server could allow an authenticated attacker to execute remote code. CVE-2025-60710 (CVSS score: 7.8) – Improper link resolution before file access in the Windows task host process could allow an authorized attacker to locally escalate privileges. CVE-2012-1854 (CVSS score: 7.8) – Insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) could allow remote code execution.
CVE-2026-21643 was added to the KEV catalog after Defused Cyber announced that it detected an exploitation attempt targeting this flaw starting on March 24, 2026. Last week, Microsoft revealed that an attacker it tracks as Storm-1175 was weaponizing CVE-2023-21529 in attacks delivering Medusa ransomware.
Regarding CVE-2012-1854, the Windows maker acknowledged in an advisory released in July 2012 that it was aware of “limited targeted attacks” attempting to exploit this vulnerability. The exact nature of the attack is unknown at this time.
There are currently no public reports mentioning exploitation of the remaining three vulnerabilities. In view of active attacks, Federal Civilian Executive Branch (FCEB) agencies have until April 27, 2026 to apply the fixes.
Source link
