CISA Orders Federal Agencies to Patch 6 Actively Exploited Flaws in Fortinet, Microsoft, and Adobe

Introduction

CISA added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on Monday, citing evidence of active exploitation across Fortinet FortiClient EMS, Microsoft Windows and Exchange Server, and Adobe Acrobat Reader. Federal agencies have until April 27 to apply patches. The most severe flaw, a CVSS 9.1 SQL injection in FortiClient EMS, is already being used to deploy ransomware.

What Happened

The six CVEs now on the KEV list span a wide range of products and severity levels:

  • CVE-2026-21643 (CVSS 9.1) — SQL injection in Fortinet FortiClient EMS. Allows unauthenticated attackers to execute code remotely via crafted HTTP requests. Exploitation attempts have been observed since at least March 24, 2026, and the threat actor Storm-1175 has been chaining it with other flaws to deploy Medusa ransomware.
  • CVE-2023-21529 (CVSS 8.8) — Deserialization of untrusted data in Microsoft Exchange Server. Also linked to Storm-1175 and Medusa ransomware deployment.
  • CVE-2025-60710 (CVSS 7.8) — Improper link resolution in the Host Process for Windows Tasks, allowing local privilege escalation.
  • CVE-2023-36424 (CVSS 7.8) — Out-of-bounds read in the Windows Common Log File System (CLFS) driver, enabling privilege escalation.
  • CVE-2020-9715 (CVSS 7.8) — Use-after-free in Adobe Acrobat Reader, exploitable for code execution when a victim opens a crafted PDF.
  • CVE-2012-1854 (CVSS 7.8) — Insecure library loading in Visual Basic for Applications (VBA), a legacy flaw being used in limited targeted attacks.

CISA's mandate requires all Federal Civilian Executive Branch (FCEB) agencies to remediate by April 27, 2026, but every organization should treat KEV additions as a patch-now signal.

Why It Matters

When CISA adds a vulnerability to the KEV, it means there is confirmed evidence of exploitation in the wild — not theoretical risk. The FortiClient EMS flaw is especially dangerous because FortiClient EMS is used to manage endpoint security agents across enterprise networks; compromising it gives attackers a central point of control over every managed endpoint. The linkage to Medusa ransomware raises the stakes further: this isn't just espionage, it's financially motivated attacks with destructive outcomes. The inclusion of a 14-year-old VBA flaw (CVE-2012-1854) is a reminder that attackers will reach deep into the back catalog if a vulnerability remains unpatched and exploitable.

Who Is Affected

  • Organizations running Fortinet FortiClient EMS version 7.4.4 or earlier
  • Microsoft Exchange Server environments (on-premises)
  • Windows systems with unpatched CLFS or task host process components
  • Any system running Adobe Acrobat Reader without the latest security updates
  • Legacy environments still using older VBA-dependent applications

How to Protect Yourself

1. Patch FortiClient EMS to version 7.4.5 or later

This is the highest-priority item. Check your version:

# On the FortiClient EMS server
FortiClientEMS.exe --version

Download the update from Fortinet's support portal immediately.

2. Apply Microsoft Exchange cumulative updates

Ensure your Exchange Server is running the latest cumulative update with all security patches:

# Check Exchange version
Get-ExchangeServer | Format-List Name, AdminDisplayVersion

Follow Microsoft's Exchange Server update guidance and restart services after patching.

3. Update Windows systems via Windows Update

# Force check for updates
usoclient StartScan
usoclient StartInstall

Target CVE-2025-60710, CVE-2023-36424, and CVE-2012-1854 in your patch management priority list.

4. Update Adobe Acrobat Reader

Help → Check for Updates

Or push updates through your enterprise software distribution tool.

5. Hunt for Medusa ransomware indicators

Given the Storm-1175 connection, search for known Medusa IoCs in your environment:

# Look for the known malicious DLL used in Medusa attacks
Get-ChildItem -Path C:\ -Filter "msimg32.dll" -Recurse -ErrorAction SilentlyContinue |
  Where-Object { $_.DirectoryName -notlike "*System32*" -and $_.DirectoryName -notlike "*SysWOW64*" }

6. Audit FortiClient EMS access logs

Check for suspicious HTTP requests targeting the EMS API, particularly SQL injection patterns:

grep -iE "(UNION|SELECT|INSERT|DROP|--)" /var/log/FortiClientEMS/access.log

Source

CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software — The Hacker News