CISA adds six actively exploited vulnerabilities affecting Fortinet, Microsoft, and Adobe systems.
The Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming that they are actively being used in real-world attacks.
The affected technologies include widely deployed enterprise systems from Fortinet, Microsoft, and Adobe.
What Happened
The KEV catalog is not a theoretical list.
It reflects vulnerabilities that are already being exploited.
The newly added vulnerabilities include:
- Fortinet FortiClient EMS (SQL injection, unauthenticated access)
- Adobe Acrobat Reader (remote code execution)
- Microsoft Windows (privilege escalation, memory vulnerabilities)
- Microsoft Exchange Server (remote code execution)
- Windows Host Process (privilege escalation)
- Microsoft VBA (remote code execution)
Some of these vulnerabilities date back years but remain operational risks.
Why These Vulnerabilities Matter
The key point is not the number of vulnerabilities.
It is their status.
They are:
- known
- documented
- already exploited
This changes their priority.
For example:
- CVE-2026-21643 (Fortinet) has seen active exploitation attempts since March 2026
- CVE-2023-21529 (Exchange) has been used in ransomware campaigns linked to Storm-1175
What This Means for Organizations
KEV inclusion is a signal.
Not informational.
Operational.
It indicates that:
- attackers are already using these paths
- exposed systems are likely being scanned and targeted
- delay in patching directly increases risk
The window between disclosure and exploitation is no longer theoretical.
It is active.
DIAMATIX Perspective
This pattern is consistent.
The vulnerability itself is rarely the problem.
The problem is timing.
By the time a vulnerability enters KEV:
- attackers have operationalized it
- tooling is already available
- scanning activity is ongoing
From an operational standpoint:
- KEV-listed vulnerabilities should be treated as immediate priorities
- asset visibility must align with vulnerability tracking
- patching workflows must be accelerated
- exposed systems must be monitored for early signs of exploitation
The gap is not between vulnerability and patch.
It is between exposure and response.
Timeline and Response
CISA has issued a remediation deadline for U.S. federal agencies:
April 27, 2026
This reflects the urgency of these vulnerabilities.
Organizations outside government environments should apply similar urgency.
Conclusion
KEV entries mark a transition point.
From risk to active threat.
Organizations that treat them as routine updates risk falling behind attacker timelines.
Sources
Cybersecurity and Infrastructure Security Agency. Known Exploited Vulnerabilities Catalog
This article is based on publicly available threat intelligence as of April 2026.
