CISA Highlights Active Exploitation of Vulnerabilities in Fortinet, Microsoft, and Adobe Products
Executive Summary
On April 13, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. These vulnerabilities affect Fortinet FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, and Microsoft Visual Basic for Applications. Notably, CVE-2026-21643, an SQL injection vulnerability in Fortinet FortiClient EMS, has been actively exploited since March 24, 2026. Additionally, Microsoft reports that threat actor Storm-1175 has been leveraging CVE-2023-21529 in Exchange Server to deliver Medusa ransomware. (thehackernews.com)
The inclusion of these vulnerabilities underscores the persistent threat posed by both newly discovered and older security flaws. Organizations are urged to prioritize patching these vulnerabilities to mitigate potential risks, as unpatched systems remain prime targets for cyber adversaries. (bytevanguard.com)
Why This Matters Now
The active exploitation of these vulnerabilities highlights the urgency for organizations to apply patches promptly. Delayed remediation increases the risk of cyberattacks, data breaches, and operational disruptions, emphasizing the need for proactive vulnerability management.
Attack Path Analysis
An unauthenticated attacker exploited an SQL injection vulnerability in Fortinet FortiClient EMS, gaining initial access. They escalated privileges to execute arbitrary code, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and caused significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploited an SQL injection vulnerability in Fortinet FortiClient EMS (CVE-2026-21643) to gain unauthorized access.
Related CVEs
CVE-2026-21643
CVSS 9.8An SQL injection vulnerability in Fortinet FortiClientEMS 7.4.4 allows unauthenticated attackers to execute unauthorized code or commands via specifically crafted HTTP requests.
Affected Products:
Fortinet FortiClientEMS – 7.4.4
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Server Software Component: SQL Stored Procedures
Valid Accounts
Command and Scripting Interpreter: Windows Command Shell
OS Credential Dumping
Network Service Scanning
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Software Development
Control ID: 6.5.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
SQL injection vulnerability in Fortinet FortiClient EMS threatens financial institutions' endpoint management, risking data exfiltration and compliance violations across HIPAA and PCI standards.
Health Care / Life Sciences
Healthcare organizations using Fortinet EMS face critical vulnerability exploitation risks, potentially exposing patient data through compromised endpoint management systems and violating HIPAA requirements.
Government Administration
Government agencies relying on Fortinet endpoint security solutions face heightened cyber threat exposure from known exploited vulnerabilities, requiring immediate patching and enhanced monitoring capabilities.
Information Technology/IT
IT service providers managing client endpoints through Fortinet EMS face cascading security risks from SQL injection attacks, threatening multi-tenant environments and zero-trust implementations.
Sources
- CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Softwarehttps://thehackernews.com/2026/04/cisa-adds-6-known-exploited-flaws-in.htmlVerified
- Fortinet Security Advisory FG-IR-25-1142https://fortiguard.fortinet.com/psirt/FG-IR-25-1142Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21643Verified
- NVD - CVE-2026-21643https://nvd.nist.gov/vuln/detail/CVE-2026-21643Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial exploitation, it could limit the attacker's ability to escalate privileges or move laterally within the network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing trust relationships.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control communications across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling and monitoring outbound traffic.
While Aviatrix CNSF may not prevent all forms of operational disruption, its controls could likely limit the scope and impact of such attacks by containing the attacker's activities.
Impact at a Glance
Affected Business Functions
- Endpoint Security Management
- Network Security Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive configuration data and administrative credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline Intrusion Prevention Systems (IPS) to detect and block SQL injection attempts.
- • Enforce Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities like CVE-2026-21643.
