CISA flags 7 exploited Adobe, Fortinet, and Microsoft flaws

The Known Exploited Vulnerabilities catalog matters because it is CISA's running list of bugs that attackers are already using in the wild, not a speculative watchlist. That is why the April 13 update deserves immediate attention: CISA added seven entries spanning Adobe Acrobat and Reader, Fortinet FortiClient EMS, Microsoft Exchange Server, Microsoft Windows, and Microsoft VBA, with one federal remediation deadline arriving on April 16.

The shortest clock belongs to CVE-2026-21643, a SQL injection flaw in FortiClient EMS. CISA says the bug may allow an unauthenticated attacker to execute unauthorized code or commands through crafted HTTP requests, and federal civilian agencies must act by April 16. The other six additions carry an April 27 deadline, but that should not be read as low urgency. They include two Adobe entries and four Microsoft entries that cover remote code execution and privilege-escalation paths in widely deployed software.

• Adobe: CVE-2020-9715 and CVE-2026-34621
• Fortinet: CVE-2026-21643
• Microsoft: CVE-2012-1854, CVE-2025-60710, CVE-2023-21529, and CVE-2023-36424

The mix is what makes the update noteworthy. One batch touches document readers, an endpoint management server, Windows internals, Exchange Server, and VBA, while spanning insecure library loading, out-of-bounds reads, prototype pollution, SQL injection, and deserialization issues. That breadth is a reminder that active exploitation is not clustering around one narrow stack. Security teams still have to watch desktop software, messaging infrastructure, and management tooling at the same time.

CISA says organizations should use the KEV catalog as an input to vulnerability prioritization, and its JSON feed shows the exact entries and due dates added on April 13. The practical takeaway is straightforward: if Fortinet, Adobe, or Microsoft assets sit in your fleet, this is a patch queue reshuffle, not a note for the next maintenance window.