CISA KEV Adds 7 Fortinet, Microsoft, and Adobe Vulnerabilities (April 13)
Contents
On April 13, 2026, CISA added 7 vulnerabilities to the KEV (Known Exploited Vulnerabilities) catalog.
The entries cover a Fortinet FortiClient EMS SQL injection, a Microsoft Exchange Server RCE, two Windows privilege escalation flaws, two Adobe Acrobat vulnerabilities, and a Microsoft VBA DLL hijacking issue. All have been confirmed as exploited in the wild.
The KEV catalog is CISA’s official list of vulnerabilities confirmed to have been used in real-world attacks.
Federal agencies are required to patch within specified deadlines under Binding Operational Directive 22-01, and the catalog is widely used by private organizations as a prioritization reference.
The 7 entries have two separate deadlines.
The FortiClient EMS vulnerability (CVE-2026-21643) is due April 16, while the remaining six are due April 27.
FortiClient EMS also had a separate vulnerability, CVE-2026-35616 (CVSS 9.8, improper access control), added to KEV on April 6, highlighting the concentrated attacker interest in this product.
Overview of the 7 CVEs
| CVE | Vendor | Product | CVSS | Vulnerability Type | Patch Deadline |
|---|---|---|---|---|---|
| CVE-2026-21643 | Fortinet | FortiClient EMS | 9.1 | SQL Injection → Unauthenticated RCE | April 16 |
| CVE-2023-21529 | Microsoft | Exchange Server | 8.8 | Deserialization → RCE (authenticated) | April 27 |
| CVE-2023-36424 | Microsoft | Windows (CLFS) | 7.8 | Out-of-bounds Read → Privilege Escalation | April 27 |
| CVE-2025-60710 | Microsoft | Windows | 7.8 | Symlink Following → Privilege Escalation | April 27 |
| CVE-2020-9715 | Adobe | Acrobat/Reader | 7.8 | Use-After-Free → Arbitrary Code Execution | April 27 |
| CVE-2026-34621 | Adobe | Acrobat/Reader | 8.6 | Prototype Pollution → Arbitrary Code Execution | April 27 |
| CVE-2012-1854 | Microsoft | VBA (Office) | 7.8 | DLL Hijacking → Privilege Escalation | April 27 |
CVE-2026-21643: FortiClient EMS SQL Injection (CVSS 9.1)
The highest priority vulnerability in this batch.
A SQL injection flaw (CWE-89) in Fortinet FortiClient EMS 7.4.4 allows unauthenticated remote command execution.
The root cause is a multi-tenancy refactoring that passed HTTP header values directly into database queries without sanitization.
An attacker can trigger the SQL injection pre-authentication by sending specific headers to the publicly accessible /api/v1/init_consts endpoint. There is no lockout mechanism, and database error messages are returned to the client, making it easy to iterate quickly.
In environments where the backend PostgreSQL runs with superuser privileges, OS command execution via the COPY ... TO/FROM PROGRAM syntax has been demonstrated.
Extractable data includes admin credentials, endpoint inventory, security policies, and managed endpoint certificates.
According to Bishop Fox’s analysis, only environments with multi-tenant mode (SITES_ENABLED=True) enabled are affected.
Shodan shows approximately 1,000 publicly exposed FortiClient EMS instances, and active exploitation has been observed for at least 4 days.
Patched in version 7.4.5 and later. However, 7.4.5 is also affected by CVE-2026-35616, so the hotfix for 7.4.6 is required as well.
flowchart TD
A[Attacker] -->|Unauthenticated HTTP request| B["/api/v1/init_consts"]
B -->|Tenant header embedded<br/>directly into SQL| C[PostgreSQL]
C -->|Error messages returned| A
C -->|With superuser privileges<br/>COPY TO/FROM PROGRAM| D[OS Command Execution]
D --> E[Admin credential theft]
D --> F[Arbitrary file creation]
D --> G[Lateral movement]CVE-2023-21529: Microsoft Exchange Server RCE (CVSS 8.8)
A deserialization of untrusted data vulnerability (CWE-502) affecting Exchange Server 2013/2016/2019.
An authenticated attacker can achieve RCE by sending a crafted request.
Affected versions include Exchange Server 2013 (CU23 and earlier), 2016 (CU23 and earlier), and 2019 (CU11/12 and earlier).
Microsoft has already released patches, and migrating to the latest cumulative update is the recommended fix.
The “authentication required” condition still poses a threat in post-compromise lateral movement scenarios.
CVE-2023-36424: Windows CLFS Out-of-Bounds Read (CVSS 7.8)
A privilege escalation via out-of-bounds read (CWE-125) in the Windows Common Log File System (CLFS) driver.
A local attacker with low privileges can escalate to administrator.
CLFS is a kernel component used for Windows log management, and multiple privilege escalation CVEs have been discovered in it over the past several years.
The impact spans Windows 10/11 and Windows Server 2008 through 2022. Ransomware groups frequently use CLFS vulnerabilities for post-initial-access privilege escalation.
CVE-2025-60710: Windows Task Host Process Privilege Escalation (CVSS 7.8)
An improper link following vulnerability (CWE-59) in the Host Process for Windows Tasks (taskhost.exe).
The flaw abuses NTFS symbolic links and reparse points to redirect file access resolution paths, escalating local privileges.
Patched in the November 2025 Patch Tuesday.
Affected systems include Windows 11 24H2/25H2 and Server 2025. While local authenticated access is required, this is a typical escalation technique used by ransomware and infostealers after gaining an initial foothold.
CVE-2020-9715: Adobe Acrobat Use-After-Free (CVSS 7.8)
A Use-After-Free vulnerability (CWE-416) affecting all versions of Adobe Acrobat/Reader in the 2015–2020 track.
Use-After-Free is a class of vulnerability where referencing freed memory allows arbitrary code execution.
Originally discovered in 2020, this CVE was added to KEV after continued exploitation in environments not running the latest Adobe Reader was confirmed.
CVE-2026-34621: Adobe Acrobat Prototype Pollution (CVSS 8.6)
A Prototype Pollution RCE that was a zero-day with active exploitation since December 2025.
Adobe released a patch (APSB26-43) on April 11, rating it CVSS 8.6 / Priority 1 with a recommendation to apply within 72 hours.
See the previous article for details: Adobe Acrobat Reader Patches Actively Exploited Zero-Day (CVE-2026-34621 / APSB26-43).
This KEV addition comes 3 days after patch release, effectively enforcing compliance for federal agencies.
CVE-2012-1854: Microsoft VBA DLL Hijacking (CVSS 7.8)
A Microsoft Visual Basic for Applications (VBA) vulnerability disclosed in 2012.
DLL hijacking (CWE-426) allows privilege escalation when a user opens a VBA-enabled Office file while a malicious DLL is placed in the current directory.
The reason a 14-year-old CVE was added to KEV is that active exploitation was confirmed against systems still running unpatched legacy Office (2003/2007/2010).
Microsoft has already released a patch, but for products past EOL (End of Life), isolation or decommissioning is the realistic remediation.
Prioritization
CVE-2026-21643 stands out as the most critical of the seven: unauthenticated RCE, numerous exposed instances, and an April 16 deadline.
Organizations running FortiClient EMS 7.4.4 need to verify today.
The relationship with CVE-2026-35616 (CVSS 9.8, added to KEV on April 6) is also important.
Updating to 7.4.5 alone may not be sufficient. Check Fortinet advisory FG-IR-26-099 for the required hotfix.
Exchange Server (CVE-2023-21529) requires authentication but is being used as a pivot point after internal compromise; organizations that haven’t applied the latest CU should not wait for the deadline.
The two Adobe vulnerabilities both lead to arbitrary code execution via PDF. Organizations using Adobe Reader/Acrobat should verify they’re on the latest version (26.x for the Continuous Track).
Attacks on Fortinet Products Are Intensifying
FortiClient EMS has appeared in the KEV catalog twice in one week (CVE-2026-35616 on April 6, CVE-2026-21643 this time).
The broader picture for Fortinet products is even more concerning: in March, the AI orchestration tool “CyberStrikeAI” was reported to have automatically compromised approximately 600 FortiGate devices.
FortiGate, FortiClient EMS, FortiOS — a pattern has taken hold where management interfaces exposed to the internet are repeatedly targeted.
The ~1,000 publicly exposed instances in this case follows the same pattern as the 600-unit FortiGate compromise. Stopping management interface exposure is itself the top priority.
Another Adobe PDF Zero-Day Running in Parallel
The patch for CVE-2026-34621 (APSB26-43) was released on April 11, but Adobe Reader/Acrobat has another separate zero-day.
The sandbox bypass + RCE combination disclosed on April 10 is a vulnerability exploited for about 4 months since November 2025 and is an independent attack chain from CVE-2026-34621.
All versions including the latest are affected, and no patch was available at the time of writing.
With PDF-based threats running on multiple zero-days simultaneously, “just applying APSB26-43” is not enough.
KEV Additions in 2026
Looking at just the KEV-related entries covered on this blog, multiple additions have continued every month in 2026.
- February: 4 including Chromium zero-day and BeyondTrust, 4 including Chrome UAF
- March: n8n RCE (CVSS 9.9), 5 including Craft CMS CVSS 10.0, VMware Aria
- April: These 7 Fortinet, Microsoft, and Adobe entries
Among this batch, CVE-2012-1854 (14-year-old VBA vulnerability) and CVE-2020-9715 (6-year-old Adobe UAF) show that older CVEs being “newly confirmed as exploited” and added to KEV is a growing trend.
In February, a 17-year-old Microsoft vulnerability was also added to KEV.
Even when patches exist, unpatched environments only become easier targets for attackers over time.
Attack Patterns from Past Coverage
The 7 vulnerabilities added to KEV this time are individual flaws, but they overlap significantly with attack patterns tracked on this blog.
Chained Attacks on Microsoft Products
Exchange Server RCE (CVE-2023-21529) and VBA DLL hijacking (CVE-2012-1854) are components that state-sponsored groups favor combining.
APT28 launched an LNK file attack using MSHTML zero-day CVE-2026-21513 in January, and Office OLE bypass CVE-2026-21509 was also added to KEV in February.
Initial access via MSHTML or Exchange, privilege escalation via CLFS or symlinks, persistence via DLL hijacking — the components of a Windows attack chain have lined up together in the KEV catalog.
Prototype Pollution
Adobe Acrobat’s CVE-2026-34621 chains JavaScript prototype pollution into RCE.
In the same vulnerability class, axios CVE-2026-40175 used prototype pollution as a gadget to chain from HTTP header injection (CRLF) to SSRF.
The same vulnerability pattern serves as an entry point for RCE and SSRF in completely different software — a PDF reader and an HTTP client.
Use-After-Free
The 6-year-old Adobe Acrobat vulnerability CVE-2020-9715 is a UAF (Use-After-Free).
Just two weeks ago, Chrome Dawn UAF (CVE-2026-5281) was exploited as the 4th Chrome zero-day of 2026.
Both browsers and PDF readers are prone to UAF vulnerabilities due to the complexity of their rendering engines. As long as older versions remain in use, they remain targets. The fact that CVE-2020-9715 was added to KEV 6 years after disclosure confirms this.