The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The list of vulnerabilities is as follows –
- CVE-2026-21643 (CVSS score: 9.1) – An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
- CVE-2020-9715 (CVSS score: 7.8) – A use-after-free vulnerability in Adobe Acrobat Reader that could result in remote code execution.
- CVE-2023-36424 (CVSS score: 7.8) – An out-of-bounds read vulnerability in Microsoft Windows Common Log File System Driver that could result in privilege escalation.
- CVE-2023-21529 (CVSS score: 8.8) – A deserialization of untrusted data in Microsoft Exchange Server that could allow an authenticated attacker to achieve remote code execution.
- CVE-2025-60710 (CVSS score: 7.8) – An improper link resolution before file access vulnerability in Host Process for Windows Tasks that could allow an authorized attacker to elevate privileges locally.
- CVE-2012-1854 (CVSS score: 7.8) – An insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) that could result in remote code execution.
The addition of CVE-2026-21643 to the KEV catalog comes after Defused Cyber said it detected exploitation attempts targeting the flaw since March 24, 2026. Last week, Microsoft revealed that a threat actor it tracks as Storm-1175 has been weaponizing CVE-2023-21529 in attacks to deliver Medusa ransomware.
As for CVE-2012-1854, the Windows makeracknowledged in an advisory released in July 2012 that it’s aware of “limited, targeted attacks” attempting to abuse the vulnerability. The exact nature of the attacks is presently unknown.
There are currently no public reports referencing the exploitation of the remaining three vulnerabilities. In light of active attacks, Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by April 27, 2026.