The Cybersecurity and Infrastructure Security Agency (CISA) has just added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. That designation is critical: these CVEs are confirmed to be exploited in the wild, not theoretical risks.

For defenders, this shifts the conversation from risk management to incident prevention under active threat conditions.

Threat Context

The KEV catalog is not just another vulnerability list — it's a prioritized threat intelligence feed. Inclusion implies:

  • Verified exploitation activity
  • Operational use by threat actors
  • Elevated risk to enterprise environments

In this case, the affected ecosystem spans:

  • Network security clients (Fortinet)
  • Enterprise email infrastructure (Microsoft Exchange)
  • Endpoint productivity tools (Adobe Acrobat)
  • Core Windows components

This is a broad attack surface with high enterprise penetration.

Technical Breakdown of the CVEs

CVE-2026–21643 — Fortinet FortiClient EMS (SQL Injection)

  • CVSS: 9.1
  • Vector: Unauthenticated remote attacker via crafted HTTP requests
  • Impact: Arbitrary command execution

This is the most critical issue in the set. A pre-auth SQL injection in a centralized endpoint management system effectively enables:

  • Database manipulation
  • Command execution at the application layer
  • Potential lateral movement depending on deployment architecture

Observed exploitation attempts date back to March 2026, indicating rapid weaponization.

CVE-2020–9715 — Adobe Acrobat Reader (Use-After-Free)

  • CVSS: 7.8
  • Class: Memory corruption
  • Impact: Remote code execution via malicious PDF

Classic client-side exploitation vector. The vulnerability allows attackers to:

  • Trigger heap corruption
  • Execute arbitrary payloads when a user opens a crafted file

Despite its age, continued exploitation highlights the long tail of unpatched endpoints.

CVE-2023–36424 — Windows CLFS Driver (Out-of-Bounds Read)

  • CVSS: 7.8
  • Impact: Privilege escalation

Targets the Windows Common Log File System (CLFS). Exploitation enables:

  • Kernel-level data access
  • Elevation from low-privileged user to SYSTEM

Typical use case: post-compromise privilege escalation.

CVE-2023–21529 — Microsoft Exchange (Deserialization RCE)

  • CVSS: 8.8
  • Prerequisite: Authenticated access
  • Impact: Remote code execution

This vulnerability is particularly dangerous in enterprise environments due to Exchange's role as a high-value asset.

Notably, threat actors tracked as Storm-1175 have leveraged this flaw to deploy Medusa ransomware, indicating:

  • Integration into real attack chains
  • Use in targeted campaigns rather than opportunistic scans

CVE-2025–60710 — Windows Host Process (Link Resolution Flaw)

  • CVSS: 7.8
  • Impact: Local privilege escalation

Improper link resolution before file access allows attackers to:

  • Abuse symbolic links
  • Escalate privileges within the host

This fits into a common exploitation chain: Initial access → privilege escalation → persistence

CVE-2012–1854 — Microsoft VBA (Insecure Library Loading)

  • CVSS: 7.8
  • Impact: Remote code execution

A legacy vulnerability still being exploited — which says more about patch hygiene than attacker sophistication.

Attackers can:

  • Hijack library loading paths
  • Execute malicious code via crafted Office documents

Active Exploitation Signals

Two data points stand out:

  • Security researchers observed exploitation attempts targeting the Fortinet flaw in late March 2026
  • Microsoft reported that Storm-1175 is actively weaponizing the Exchange vulnerability for ransomware delivery

This confirms that these CVEs are:

  • Not isolated
  • Not theoretical
  • Already embedded in attack workflows

Defensive Priorities

If you're operating in an enterprise or production environment, the response should be immediate and structured:

1. Patch with Priority

  • Apply vendor patches for all affected systems
  • Treat Fortinet EMS and Exchange as critical assets

2. Assume Compromise

  • Review logs for:
  • Suspicious HTTP requests (Fortinet EMS)
  • Abnormal Exchange activity
  • Privilege escalation indicators

3. Reduce Attack Surface

  • Restrict external exposure of management interfaces
  • Enforce least privilege across endpoints

4. Detection Engineering

  • Deploy rules for:
  • SQL injection patterns
  • Deserialization anomalies
  • CLFS abuse indicators

The most important takeaway isn't just the vulnerabilities themselves — it's the pattern:

Old bugs, new exploits, immediate weaponization.

Attackers are no longer waiting for defenders to catch up. They're exploiting:

  • Legacy systems
  • Slow patch cycles
  • Misconfigured infrastructure

If your patching cycle still operates on a "monthly update" mindset, you're already behind.