Another week, another reminder that unpatched software is still one of the easiest ways into your systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming that these flaws are already being used in real-world cyberattacks. The affected software spans major enterprise tools, including Microsoft Windows, Fortinet FortiClient, Adobe Acrobat Reader, and Microsoft Exchange Server.
For organizations and IT teams, this isn’t just routine patching advice — it’s a signal that attackers are actively targeting widely used systems right now.
Six vulnerabilities now under active exploitation
The newly added flaws range from high to critical severity and impact both legacy and modern systems. Here’s what’s on CISA’s radar:
- CVE-2026-21643 (CVSS 9.1) – A critical SQL injection flaw in Fortinet FortiClient EMS that allows unauthenticated attackers to execute commands remotely.
- CVE-2020-9715 (CVSS 7.8) – A use-after-free vulnerability in Adobe Acrobat Reader that could lead to remote code execution.
- CVE-2023-36424 (CVSS 7.8) – An out-of-bounds read flaw in the Windows Common Log File System driver, enabling privilege escalation.
- CVE-2023-21529 (CVSS 8.8) – A Microsoft Exchange Server vulnerability that allows authenticated attackers to execute code remotely.
- CVE-2025-60710 (CVSS 7.8) – A Windows task process flaw that can be exploited for local privilege escalation.
- CVE-2012-1854 (CVSS 7.8) – A long-standing vulnerability in Microsoft VBA that can still enable remote code execution.
What stands out here isn’t just the severity — it’s the diversity. These vulnerabilities span everything from enterprise email systems to everyday document readers, increasing the potential attack surface significantly.
Some of these flaws are already being weaponized
Not all vulnerabilities are equal, and a few in this batch are already seeing active exploitation.
The Fortinet flaw (CVE-2026-21643) has reportedly been targeted since late March 2026, according to cybersecurity researchers. Meanwhile, Microsoft has confirmed that a threat group known as Storm-1175 is actively exploiting the Exchange Server vulnerability (CVE-2023-21529) to deploy Medusa ransomware.
This is a crucial detail: once ransomware operators adopt a vulnerability, attacks tend to scale quickly — especially in enterprise environments.
Even older vulnerabilities are still in play
One surprising addition is CVE-2012-1854, a vulnerability first disclosed over a decade ago. While it may seem outdated, its inclusion in the KEV catalog shows that attackers continue to exploit systems that haven’t been properly patched.
It’s a pattern we’ve seen repeatedly: legacy vulnerabilities don’t disappear — they linger in unmaintained systems, becoming low-hanging fruit for attackers.
Why CISA’s KEV catalog matters more than ever
The KEV catalog isn’t just another vulnerability database — it’s a prioritized list of flaws that are actively being exploited in the wild. For security teams, it acts as a real-time threat intelligence feed.
In fact, U.S. Federal Civilian Executive Branch (FCEB) agencies are now required to patch these vulnerabilities by April 27, 2026, highlighting the urgency of the situation.
For private organizations, the takeaway is simple: if a vulnerability makes it onto the KEV list, it should jump to the top of your patching queue.
The bigger trend: attackers are moving faster than patch cycles
This update reflects a broader shift in cybersecurity — attackers are increasingly exploiting vulnerabilities within days or weeks of discovery, often before organizations can respond.
At the same time, ransomware groups and threat actors are becoming more strategic, focusing on widely used enterprise tools like Microsoft Exchange and Fortinet products to maximize impact.
This creates a growing gap between vulnerability disclosure and patch deployment — and that gap is exactly where most attacks happen.
What organizations should do now
If you’re managing IT systems or infrastructure, now is the time to act:
- Prioritize patching all vulnerabilities listed in the KEV catalog
- Audit systems for outdated or legacy software still in use
- Monitor network activity for unusual behavior or unauthorized access
- Implement layered security controls beyond just patching
Security today isn’t just about reacting — it’s about staying ahead of what attackers are already doing.
So, how prepared is your system?
With attackers actively exploiting both new and decade-old vulnerabilities, the real question isn’t whether threats exist — it’s whether your systems are ready for them.
Are your critical systems patched, monitored, and resilient enough to withstand the next wave of attacks?
