Executive Summary
On April 13, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding seven new vulnerabilities, including issues in Microsoft Visual Basic for Applications, Adobe Acrobat, Microsoft Exchange Server, and Fortinet products. These vulnerabilities have been actively exploited by malicious actors, posing significant risks to federal enterprises. CISA's Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these vulnerabilities by specified deadlines to protect against active threats. Although BOD 22-01 applies specifically to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practices. This proactive approach is essential to reduce exposure to cyberattacks and safeguard organizational networks against known exploited vulnerabilities.
Why This Matters Now
The addition of these seven vulnerabilities to CISA's KEV Catalog underscores the ongoing threat posed by actively exploited vulnerabilities. Organizations must prioritize remediation efforts to mitigate potential cyberattacks and protect sensitive data.
Attack Path Analysis
An attacker exploited a deserialization vulnerability in Microsoft Exchange Server to gain initial access, escalated privileges by exploiting a Windows out-of-bounds read vulnerability, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and ultimately deployed ransomware to disrupt operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the deserialization of untrusted data vulnerability (CVE-2023-21529) in Microsoft Exchange Server to execute arbitrary code remotely.
Related CVEs
CVE-2012-1854
CVSS 7.8An insecure library loading vulnerability in Microsoft Visual Basic for Applications allows remote attackers to execute arbitrary code via a crafted application.
Affected Products:
Microsoft Visual Basic for Applications – All versions prior to the patch
Exploit Status:
exploited in the wildCVE-2020-9715
CVSS 7.8A use-after-free vulnerability in Adobe Acrobat Reader allows remote attackers to execute arbitrary code via crafted PDF documents.
Affected Products:
Adobe Acrobat Reader – All versions prior to 2020.012.20041
Exploit Status:
exploited in the wildCVE-2023-21529
CVSS 8.8A deserialization of untrusted data vulnerability in Microsoft Exchange Server allows remote attackers to execute arbitrary code.
Affected Products:
Microsoft Exchange Server – All versions prior to the patch
Exploit Status:
exploited in the wildCVE-2023-36424
CVSS 7.8An out-of-bounds read vulnerability in Microsoft Windows Common Log File System Driver allows local attackers to escalate privileges.
Affected Products:
Microsoft Windows – All versions prior to the patch
Exploit Status:
exploited in the wildCVE-2025-60710
CVSS 7.8A link following vulnerability in Microsoft Windows allows local attackers to escalate privileges.
Affected Products:
Microsoft Windows – All versions prior to the patch
Exploit Status:
exploited in the wildCVE-2026-21643
CVSS 9.8An SQL injection vulnerability in Fortinet FortiClient EMS allows unauthenticated attackers to execute unauthorized code or commands via crafted HTTP requests.
Affected Products:
Fortinet FortiClient EMS – 7.4.4
Exploit Status:
exploited in the wildCVE-2026-34621
CVSS 8.6A prototype pollution vulnerability in Adobe Acrobat and Reader allows attackers to execute arbitrary code via crafted JavaScript objects.
Affected Products:
Adobe Acrobat Reader – 24.001.30356, 26.001.21367, and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Command and Scripting Interpreter
Valid Accounts
Account Discovery
OS Credential Dumping
Network Service Scanning
Data Destruction
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – System and Application Security
Control ID: 6.2
NYDFS 23 NYCRR 500 – Vulnerability Management
Control ID: 500.5
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Devices
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation under BOD 22-01 for seven KEV vulnerabilities affecting Microsoft, Adobe, and Fortinet systems with strict compliance deadlines.
Financial Services
Critical exposure through Microsoft Exchange deserialization and SQL injection vulnerabilities requiring immediate patching to prevent data exfiltration and maintain PCI compliance.
Health Care / Life Sciences
Microsoft Windows and Adobe vulnerabilities threaten patient data security, requiring urgent remediation to maintain HIPAA compliance and prevent healthcare system compromises.
Information Technology/IT
IT infrastructure providers managing Microsoft Exchange, Windows systems, and Adobe products face elevated risk from actively exploited vulnerabilities across client environments.
Sources
- CISA Adds Seven Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/04/13/cisa-adds-seven-known-exploited-vulnerabilities-catalogVerified
- CISA Adds Seven Vulnerabilities to KEV Catalog — April 13, 2026https://thecyberthrone.in/2026/04/14/cisa-adds-seven-vulnerabilities-to-kev-catalog-april-13-2026/Verified
- CISA KEV Update: From a 2012 Bug to 2026 Flawshttps://bytevanguard.com/2026/04/14/cisa-kev-update-from-a-2012-bug-to-2026-flaws/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent the initial exploitation of vulnerabilities, it could limit the attacker's ability to leverage compromised systems for further malicious activities.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely constrain the attacker's ability to escalate privileges by enforcing strict access controls and limiting interactions between workloads.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely limit the attacker's lateral movement by enforcing strict segmentation and monitoring internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and constrain unauthorized command and control communications by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by enforcing strict outbound traffic policies and monitoring egress points.
While Aviatrix Zero Trust CNSF may not prevent the deployment of ransomware, it could likely limit the blast radius by enforcing strict segmentation and access controls.
Impact at a Glance
Affected Business Functions
- n/a
Estimated downtime: N/A
Estimated loss: N/A
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Ensure timely patching of known vulnerabilities to reduce the attack surface.
