CISA has expanded the Known Exploited Vulnerabilities catalog with seven new entries on April 13, 2026, based on evidence of active exploitation. The batch spans three vendors — Microsoft, Adobe, and Fortinet — and notably includes four older CVEs (2012 through 2023) being formally catalogued for the first time, underscoring that legacy vulnerabilities continue to serve as viable attack vectors in active campaigns.
Federal Civilian Executive Branch (FCEB) agencies are required to remediate under BOD 22-01, with the due date set for April 27, 2026.
CVE-2026-34621 — Adobe Acrobat and Reader | Prototype Pollution | CVSS 9.6
A critical prototype pollution vulnerability in Adobe Acrobat Reader that allows attackers to add or modify JavaScript objects and properties, leading to arbitrary code execution in the context of the current user. Exploitation requires the victim to open a malicious file.
The vulnerability was actively exploited in the wild for at least four months before a patch arrived — the earliest known malicious sample was uploaded to VirusTotal on November 28, 2025. The attack unfolds in two stages, making it harder to detect and more effective against high-value targets.
Affected versions include Acrobat Reader 24.001.30356, 26.001.21367, and all earlier releases on both Windows and macOS. Adobe released an emergency patch under security bulletin APSB26-43 on April 11, 2026, carrying a Priority 1 rating — the highest urgency level.
Remediation: Apply APSB26-43 immediately. Treat any system processing externally sourced PDFs (invoices, contracts, applications) as potentially compromised until patched.
CVE-2020-9715 — Adobe Acrobat | Use-After-Free | Code Execution
Adobe Acrobat contains a use-after-free vulnerability that allows for code execution. A 2020-vintage flaw now formally confirmed in active exploitation. Organizations running unpatched legacy Acrobat deployments should treat this as a priority remediation item.
Remediation: Apply mitigations per Adobe vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2026-21643 — Fortinet FortiClient EMS | SQL Injection | CVSS 9.8
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Active exploitation of CVE-2026-21643 was acknowledged in Fortinet’s security advisory (FG-IR-26-099) on April 4th. Defused Cyber is credited with detection of zero-day active attacks and responsible disclosure to the vendor. Watchtowr Labs also reported detecting attacks since March 31, 2026. The Shadowserver dashboard indicates approximately 2,000 exposed FortiClient EMS instances remain reachable on the internet.
Affected version: FortiClient EMS 7.4.4.
Remediation: Apply Fortinet’s patch per FG-IR-25-1142. Identify and isolate internet-exposed EMS instances immediately. Check for signs of compromise on all internet-accessible FortiClient deployments.
CVE-2025-60710 — Microsoft Windows | Link Following Vulnerability
CVE-2025-60710 is a Microsoft Windows link following vulnerability with active exploitation now confirmed. Link-following flaws are commonly chained with privilege escalation or lateral movement techniques in post-exploitation phases.
Remediation: Apply Microsoft Security Response Center (MSRC) patch per the update guide.
CVE-2023-21529 — Microsoft Exchange Server | Deserialization of Untrusted Data | RCE
A deserialization flaw in Microsoft Exchange Server with active exploitation now confirmed by CISA. Exchange Server vulnerabilities remain a persistent high-value target for threat actors given the privileged access the platform holds over enterprise email and identity flows. This is the third Exchange deserialization-class vulnerability to have appeared in the KEV catalog in recent cycles.
Remediation: Apply the relevant Microsoft Exchange cumulative update per vendor guidance.
CVE-2023-36424 — Microsoft Windows | Out-of-Bounds Read Vulnerability
An out-of-bounds read in Microsoft Windows, now confirmed under active exploitation. While often considered a lesser-severity class, OOB read vulnerabilities in the Windows kernel or privileged components can enable information disclosure that seeds more critical attack chains.
Remediation: Apply all pending Windows security updates via Microsoft Update.
CVE-2012-1854 — Microsoft Visual Basic for Applications (VBA) | Insecure Library Loading | RCE
Microsoft Visual Basic for Applications contains an insecure library loading vulnerability that could allow for remote code execution. A 14-year-old vulnerability formally entering KEV for the first time signals that threat actors are actively deploying exploits against organizations running unpatched Office environments — a common scenario in enterprises with long software lifecycle policies.
Remediation: Apply mitigations per vendor instructions per MS12-046. Organizations on legacy Office stacks should treat this as a high-priority patch.
Analyst Notes
The April 13 batch reflects two distinct exploitation patterns worth tracking. The first is the zero-day-to-KEV pipeline — CVE-2026-34621 (Adobe) and CVE-2026-21643 (Fortinet) both saw in-the-wild exploitation well before formal disclosure, confirming that threat actors are operating ahead of the patch cycle. The second is the legacy resurrection pattern — CVE-2012-1854, CVE-2020-9715, CVE-2023-21529, and CVE-2023-36424 confirm that attackers are not abandoning aged exploit tooling. For organizations with sprawling asset estates and inconsistent patch cadence, these older entries may represent the actual frontline risk.
Source: CISA KEV Catalog | TheCyberThrone
