Recent Cybersecurity Threats: CISA Adds Known Exploited Vulnerabilities to Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently identified and added several critical security flaws to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities have been actively exploited, raising concerns about potential cyber threats.
List of Vulnerabilities:
- CVE-2026-21643 (CVSS score: 9.1) – A serious SQL injection vulnerability in Fortinet FortiClient EMS that enables unauthorized code execution through specially crafted HTTP requests.
- CVE-2020-9715 (CVSS score: 7.8) – A use-after-free vulnerability in Adobe Acrobat Reader that could lead to remote code execution.
- CVE-2023-36424 (CVSS score: 7.8) – An out-of-bounds read vulnerability in Microsoft Windows Common Log File System Driver that could result in privilege escalation.
- CVE-2023-21529 (CVSS score: 8.8) – A vulnerability in Microsoft Exchange Server allowing remote code execution by deserializing untrusted data.
- CVE-2025-60710 (CVSS score: 7.8) – An improper link resolution vulnerability in Host Process for Windows Tasks that permits local privilege escalation.
- CVE-2012-1854 (CVSS score: 7.8) – An insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) facilitating remote code execution.
The inclusion of CVE-2026-21643 in the KEV catalog was prompted by Defused Cyber’s detection of exploitation attempts starting from March 24, 2026. Additionally, Microsoft has reported that threat actor Storm-1175 is exploiting CVE-2023-21529 to distribute Medusa ransomware.
Regarding CVE-2012-1854, Microsoft acknowledged targeted attacks exploiting this vulnerability back in July 2012. However, the specifics of these attacks remain undisclosed.
While there are no public reports of exploitation for the other three vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply necessary fixes by April 27, 2026. The FortiClient EMS vulnerability must be patched by April 16, 2026.
