The US Cybersecurity and Infrastructure Security Agency (CISA) has added seven security flaws to its Known Exploited Vulnerabilities (KEV) catalog, flagging issues as being actively targeted by threat actors.
The list includes CVE-2026-21643, an SQL injection flaw in Fortinet FortiClient EMS that allows unauthenticated attackers to execute unauthorized code or commands through specially crafted HTTP requests. Reports say that exploitation attempts targeting the flaw have been observed since March 24, 2026.
Another exploited vulnerability, CVE-2020-9715, is a use-after-free issue in Adobe Acrobat Reader that could enable remote code execution. Also on the list is CVE-2026-34621, an Adobe Acrobat and Reader prototype pollution flaw that allows a remote attacker to execute arbitrary JavaScript code.
The next vulnerability, CVE-2023-36424, impacts the Microsoft Windows Common Log File System Driver and allows attackers to perform out-of-bounds reads, potentially leading to privilege escalation.
Fourth exploited flaw, CVE-2023-21529, affects Microsoft Exchange Server and stems from improper deserialization of untrusted data. It enables authenticated attackers to achieve remote code execution. Microsoft recently disclosed that a threat actor known as Storm-1175 has been actively exploiting the vulnerability to deploy Medusa ransomware in targeted attacks.
CVE-2025-60710 is an improper link resolution vulnerability in the Host Process for Windows Tasks. It allows authorized attackers to elevate privileges locally, increasing the risk of deeper system compromise once initial access is obtained.
Last but not least, CVE-2012-1854, is an older issue involving insecure library loading in Microsoft Visual Basic for Applications (VBA). The flaw can lead to remote code execution. Microsoft confirmed in July 2012 that limited, targeted attacks had attempted to exploit this vulnerability, though details about those incidents remain unclear.
It’s worth noting, that there are no other public reports so far confirming active exploitation of CVE-2020-9715, CVE-2023-36424, or CVE-2025-60710 besides CISA’s KEV list.