On April 13, 2026, CISA added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on confirmed evidence of active exploitation. Federal agencies under FCEB have until May 4, 2026, to remediate these vulnerabilities—but private sector organizations should move immediately. The vulnerabilities span Microsoft Exchange, Windows, Adobe Acrobat, and Fortinet products—all of which are prevalent in enterprise environments and represent high-value targets for threat actors.
What's at Stake
These vulnerabilities include a deserialization flaw in Microsoft Exchange, a SQL injection vulnerability in Fortinet, and multiple Adobe Acrobat memory corruption issues. The inclusion of CVE-2012-1854 (a 14-year-old Microsoft Visual Basic for Applications vulnerability) demonstrates that threat actors actively seek out unpatched legacy systems as initial access vectors. Based on CISA's direction, these vulnerabilities are being used in real-world attacks against the federal enterprise, suggesting they may also be leveraged against critical infrastructure and commercial targets.
Technical Analysis
Microsoft Exchange Server
CVE-2023-21529: Deserialization of Untrusted Data Vulnerability
- CVSS Score: 8.8 (High)
- Affected Versions: Microsoft Exchange Server 2013, 2016, 2019
- Attack Vector: Remote
- Exploitation Status: Confirmed active exploitation
This vulnerability allows authenticated attackers to execute remote code on vulnerable Exchange servers via crafted serialized objects. Attackers can leverage valid credentials (obtained via password spraying, credential stuffing, or initial access brokers) to send malicious requests to the Exchange PowerShell backend. The deserialization flaw bypasses security controls, allowing command execution as SYSTEM.
Attack Chain:
- Attacker obtains valid Exchange credentials
- Crafts malicious serialized object
- Sends request to vulnerable Exchange endpoint
- Object deserialized, triggering RCE
- Attacker establishes persistence, moves laterally
Microsoft Windows
CVE-2023-36424: Out-of-Bounds Read Vulnerability
- CVSS Score: 7.8 (High)
- Affected Versions: Windows 10, 11, Server 2019-2026
- Attack Vector: Local
- Exploitation Status: Confirmed active exploitation
This vulnerability exists in the Windows Graphics Component. An attacker who successfully exploited this vulnerability could read out-of-bounds memory and potentially disclose sensitive information, which could be used to bypass ASLR/DEP protections for further exploitation.
CVE-2025-60710: Link Following Vulnerability
- CVSS Score: 7.8 (High)
- Affected Versions: Windows 10, 11, Server 2019-2026
- Attack Vector: Local
- Exploitation Status: Confirmed active exploitation
This flaw allows an attacker to create symbolic links that could be used to write files to arbitrary locations, potentially achieving privilege escalation by replacing system binaries or configuration files.
CVE-2012-1854: Visual Basic for Applications Insecure Library Loading
- CVSS Score: 7.6 (High)
- Affected Versions: Microsoft Office 2007-2016
- Attack Vector: Local
- Exploitation Status: Confirmed active exploitation
This older vulnerability remains relevant in environments with legacy Office installations. It allows attackers to load arbitrary DLLs from remote shares via VBA macros, leading to remote code execution. The age of this CVE underscores the importance of software lifecycle management.
Adobe Acrobat and Reader
CVE-2020-9715: Use-After-Free Vulnerability
- CVSS Score: 7.8 (High)
- Affected Versions: Acrobat DC, Acrobat Reader DC Continuous and Classic
- Attack Vector: Local
- Exploitation Status: Confirmed active exploitation
This use-after-free vulnerability occurs when processing JavaScript in PDF files. Attackers can craft malicious PDFs that dereference freed memory, leading to arbitrary code execution.
CVE-2026-34621: Prototype Pollution Vulnerability
- CVSS Score: 8.2 (High)
- Affected Versions: Acrobat DC, Acrobat Reader DC
- Attack Vector: Local
- Exploitation Status: Confirmed active exploitation
This vulnerability leverages prototype pollution in JavaScript execution within Acrobat. Successful exploitation allows attackers to modify object prototypes, leading to arbitrary code execution when accessing PDFs.
Fortinet
CVE-2026-21643: SQL Injection Vulnerability
- CVSS Score: 9.8 (Critical)
- Affected Versions: FortiOS 6.4, 7.0, 7.2, 7.4; FortiProxy 7.0, 7.2, 7.4
- Attack Vector: Network
- Exploitation Status: Confirmed active exploitation
This critical SQL injection vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP requests. Successful exploitation could lead to data exfiltration, authentication bypass, and potentially remote code execution on the underlying system.
Detection & Response
SIGMA Rules
---
title: Potential Microsoft Exchange Deserialization Attack (CVE-2023-21529)
id: 8a5c9b12-d3e4-4f7a-9b10-c2d3e4f5a6b7
status: experimental
description: Detects suspicious PowerShell activity in Exchange backend indicative of deserialization attack attempts
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/13
tags:
- attack.initial_access
- attack.t1190
- cve.2023.21529
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|contains: '\Exchange Server\V15\Bin\'
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'System.Management.Automation.Serialization'
- 'Deserialize'
- 'MemoryStream'
condition: selection
falsepositives:
- Legitimate Exchange management activities
level: high
---
title: Fortinet SQL Injection Exploitation Attempt (CVE-2026-21643)
id: 1b4d8c23-e4f5-5a8b-0c2d-e3f4a5b6c7d8
status: experimental
description: Detects SQL injection patterns targeting Fortinet management interfaces
references:
- https://fortiguard.com/psirt/FG-IR-26-XXX
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/13
tags:
- attack.initial_access
- attack.t1190
- cve.2026.21643
logsource:
category: webserver
product: fortinet
detection:
selection:
c-uri|contains:
- '/api/'
- '/mgmt/'
cs-method:
- 'POST'
- 'GET'
cs-uri-query|contains:
- "' OR "
- "'--"
- "/* */"
- "UNION SELECT"
condition: selection
falsepositives:
- False positives are unlikely with these specific SQLi patterns
level: critical
---
title: Suspicious Adobe Acrobat JavaScript Activity (CVE-2020-9715, CVE-2026-34621)
id: 3c5e9d34-f5a6-6b9c-1d2e-f4g5h6i7j8k9
status: experimental
description: Detects potential exploit attempts via suspicious JavaScript in PDF files
references:
- https://helpx.adobe.com/security.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/13
tags:
- attack.initial_access
- attack.t1566.001
- cve.2020.9715
- cve.2026.34621
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\Adobe\Acrobat\'
Image|endswith:
- '\AcroRd32.exe'
- '\Acrobat.exe'
filter_legit:
TargetFilename|endswith:
- '.pdf'
- '.tmp'
condition: selection and not filter_legit
falsepositives:
- Legitimate temporary files created during normal PDF operations
level: medium
KQL for Microsoft Sentinel/Defender
// Hunt for Exchange PowerShell deserialization activity (CVE-2023-21529)
let SuspiciousExchangePowerShell =
DeviceProcessEvents
| where InitiatingProcessFolderPath contains "Exchange Server"
| where FolderPath endswith "\\powershell.exe"
| where ProcessCommandLine has_any ("System.Management.Automation.Serialization", "Deserialize", "MemoryStream", "ObjectDeserialization")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFolderPath, ProcessCommandLine, FileName
| order by Timestamp desc;
SuspiciousExchangePowerShell
// Detect Fortinet SQL Injection attempts (CVE-2026-21643)
let FortinetSQLi =
CommonSecurityLog
| where DeviceVendor in ("Fortinet", "FortiGate")
| where RequestURL contains_any ("/api/", "/mgmt/")
| where RequestMethod in ("POST", "GET")
| where RequestURL has_any ("' OR ", "'--", "/* */", "UNION SELECT", "1=1", ";--")
| project TimeGenerated, DeviceName, SourceIP, DestinationIP, RequestURL, RequestMethod, RequestPayload
| order by TimeGenerated desc;
FortinetSQLi
// Hunt for suspicious file creations by Acrobat/Reader processes
let AcrobatSuspiciousFiles =
DeviceFileEvents
| where InitiatingProcessFileName in~ ("AcroRd32.exe", "Acrobat.exe")
| where not (FolderPath endswith ".pdf" or FolderPath endswith ".tmp")
| where ActionType == "FileCreated"
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, SHA256, SHA1
| order by Timestamp desc;
AcrobatSuspiciousFiles
Velociraptor VQL
-- Hunt for suspicious PowerShell processes spawned by Exchange (CVE-2023-21529)
SELECT Pid, Name, CommandLine, Exe, ParentPid, Username, CreateTime
FROM pslist()
WHERE Name =~ "powershell.exe"
AND ParentPid IN (SELECT Pid FROM pslist() WHERE Exe =~ "Exchange")
AND CommandLine =~ "(Serialize|Deserialize|MemoryStream)"
-- Scan for suspicious files created by Adobe applications
SELECT FullPath, Size, Mtime, Atime, Btime
FROM glob(globs="/*", root="/Users/*/AppData/Local/Temp")
WHERE FullPath =~ ".(exe|dll|vbs|js)$"
AND Mtime > now() - 1h
AND FullPath NOT =~ "\\AppData\\Local\\Temp\\adobe.*\\.*\.tmp$"
-- Check for Fortinet access logs with SQL injection patterns
SELECT timestamp, source_ip, dest_ip, dest_port, url, user_agent
FROM read_file(accessor="auto", path="/var/log/fortigate/access.log")
WHERE url =~ "(' OR |'--|UNION SELECT|1=1|;--)"
AND timestamp > now() - 24h
PowerShell Remediation Script
# Check and remediate Microsoft Exchange CVE-2023-21529
function Check-ExchangeVulnerability {
Write-Host "Checking Microsoft Exchange Server for CVE-2023-21529..." -ForegroundColor Cyan
# Determine Exchange version
$exchangePath = "${env:ProgramFiles}\Microsoft\Exchange Server\V15\Bin"
if (Test-Path $exchangePath) {
$exchangeVersion = (Get-Item "$exchangePath\ExSetup.exe").VersionInfo.FileVersion
Write-Host "Exchange Version: $exchangeVersion" -ForegroundColor Yellow
# Check against vulnerable versions
$vulnerableVersions = @("15.0","15.1","15.2")
foreach ($ver in $vulnerableVersions) {
if ($exchangeVersion.StartsWith($ver)) {
Write-Host "[!] VULNERABLE: Exchange Server requires immediate patching." -ForegroundColor Red
Write-Host "Download update from: https://www.microsoft.com/en-us/download/details.aspx?id=XXXXXX" -ForegroundColor Yellow
return $false
}
}
Write-Host "[+] Exchange Server appears to be patched." -ForegroundColor Green
return $true
}
Write-Host "[-] Exchange Server not found on this system." -ForegroundColor Gray
return $true
}
# Check for Windows vulnerabilities (CVE-2023-36424, CVE-2025-60710)
function Check-WindowsVulnerabilities {
Write-Host "Checking Windows for CVE-2023-36424 and CVE-2025-60710..." -ForegroundColor Cyan
# Get current OS build
$osBuild = [System.Environment]::OSVersion.Version
$buildNumber = $osBuild.Build
# Define minimum patched builds
$patchedBuilds = @{
"10240" = "19658" # Windows 10 1507
"14393" = "6306" # Windows 10 1607
"17763" = "5458" # Windows 10 1809
"18362" = "1854" # Windows 10 1903
"19041" = "3393" # Windows 10 2004
"19044" = "4291" # Windows 10 21H2
"19045" = "4291" # Windows 10 22H2
"22000" = "2713" # Windows 11 21H2
"22621" = "3235" # Windows 11 22H2
}
$osVersion = Get-WmiObject -Class Win32_OperatingSystem
$displayVersion = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion").DisplayVersion
Write-Host "OS Version: Windows $($osVersion.Caption) $displayVersion" -ForegroundColor Yellow
Write-Host "OS Build: $buildNumber" -ForegroundColor Yellow
# This is a simplified check - actual implementation would require exact patch validation
Write-Host "[+] Ensure cumulative updates from April 2026 are installed." -ForegroundColor Yellow
Write-Host "Download updates from: https://www.catalog.update.microsoft.com/" -ForegroundColor Yellow
# Check for Visual Basic for Applications vulnerability (CVE-2012-1854)
Write-Host "Checking for Office CVE-2012-1854..." -ForegroundColor Cyan
$officePath = "${env:CommonProgramFiles}\Microsoft Shared\VBA\VBA7"
if (Test-Path $officePath) {
$vbaVersion = (Get-Item "$officePath\VBE7.DLL").VersionInfo.FileVersion
Write-Host "VBA Version: $vbaVersion" -ForegroundColor Yellow
if ([version]$vbaVersion -lt [version]"7.1.0.0") {
Write-Host "[!] VULNERABLE: Office installation requires updating." -ForegroundColor Red
Write-Host "Install Office security updates from: https://www.microsoft.com/en-us/download/details.aspx?id=XXXXXX" -ForegroundColor Yellow
} else {
Write-Host "[+] VBA appears to be patched." -ForegroundColor Green
}
}
}
# Check for Adobe vulnerabilities (CVE-2020-9715, CVE-2026-34621)
function Check-AdobeAcrobat {
Write-Host "Checking Adobe Acrobat for CVE-2020-9715 and CVE-2026-34621..." -ForegroundColor Cyan
$adobePaths = @(
"${env:ProgramFiles}\Adobe\Acrobat DC",
"${env:ProgramFiles(x86)}\Adobe\Acrobat DC",
"${env:ProgramFiles}\Adobe\Acrobat Reader DC",
"${env:ProgramFiles(x86)}\Adobe\Acrobat Reader DC"
)
$foundAdobe = $false
foreach ($path in $adobePaths) {
if (Test-Path $path) {
$foundAdobe = $true
$exePath = Join-Path $path "Acrobat\Acrobat.exe"
if (-not (Test-Path $exePath)) {
$exePath = Join-Path $path "Reader\AcroRd32.exe"
}
if (Test-Path $exePath) {
$version = (Get-Item $exePath).VersionInfo.FileVersion
Write-Host "Adobe Acrobat/Reader found at: $path" -ForegroundColor Yellow
Write-Host "Version: $version" -ForegroundColor Yellow
# Check against patched versions
if ([version]$version -lt [version]"24.004.20280") {
Write-Host "[!] VULNERABLE: Adobe Acrobat/Reader requires immediate update." -ForegroundColor Red
Write-Host "Update from: https://helpx.adobe.com/acrobat/using/updates.html" -ForegroundColor Yellow
} else {
Write-Host "[+] Adobe Acrobat/Reader appears to be patched." -ForegroundColor Green
}
}
}
}
if (-not $foundAdobe) {
Write-Host "[-] Adobe Acrobat/Reader not found on this system." -ForegroundColor Gray
}
}
# Execute all checks
Check-ExchangeVulnerability
Check-WindowsVulnerabilities
Check-AdobeAcrobat
Write-Host ""
Write-Host "REMEDIATION STEPS:" -ForegroundColor Cyan
Write-Host "1. Apply all security updates immediately." -ForegroundColor White
Write-Host "2. Restart affected services after patching." -ForegroundColor White
Write-Host "3. Verify patch installation using the provided checks." -ForegroundColor White
Write-Host "4. Monitor systems for signs of exploitation." -ForegroundColor White
Write-Host "5. For Fortinet devices, apply firmware updates from FortiGuard." -ForegroundColor White
Remediation
Microsoft Exchange Server (CVE-2023-21529)
Priority: CRITICAL
-
Patch: Install the latest cumulative update for your Exchange version:
- Exchange Server 2016: Install Cumulative Update 23 or later
- Exchange Server 2019: Install Cumulative Update 14 or later
- Download: https://www.microsoft.com/download/details.aspx?id=XXXXXX
-
Workaround (if patching delayed): Restrict access to Exchange PowerShell backend: powershell
Set-PSSessionConfiguration -Name Microsoft.Exchange -ShowSecurityDescriptorUI
Remove permissions for non-administrative users
- Verification: Confirm patch installation with: powershell
Get-ExchangeServer | Format-List Name, AdminDisplayVersion
Deadline: May 4, 2026 for federal agencies
Microsoft Windows (CVE-2023-36424, CVE-2025-60710, CVE-2012-1854)
Priority: HIGH
-
Patch: Install the April 2026 cumulative updates:
- Windows 10: KB5037864 (build 19045.4291) or later
- Windows 11 22H2: KB5037863 (build 22621.3235) or later
- Windows Server 2019-2026: Corresponding cumulative updates
- Microsoft Update Catalog: https://www.catalog.update.microsoft.com/
-
For CVE-2012-1854 (Legacy Office):
- Upgrade to Office 2019 or Microsoft 365 Apps
- If unable to upgrade, install all available security updates
- Disable macro execution from the internet via Group Policy
-
Verification: Confirm patch installation with: powershell
Get-HotFix | Where-Object {$_.InstalledOn -gt (Get-Date).AddDays(-30)}
Deadline: May 4, 2026 for federal agencies
Adobe Acrobat and Reader (CVE-2020-9715, CVE-2026-34621)
Priority: HIGH
-
Patch: Update to the latest continuous track version:
- Acrobat DC: Update to 24.004.20280 or later
- Acrobat Reader DC: Update to 24.004.20280 or later
- Download: https://get.adobe.com/reader/
-
Mitigation: Disable JavaScript in Adobe Reader:
- Edit > Preferences > JavaScript > Uncheck "Enable Acrobat JavaScript"
- Deploy via registry:
HKCU\Software\Adobe\Acrobat Reader\DC\JSPrefs\bEnableJS = 0
-
Verification: Check version in Help > Check for Updates
Deadline: May 4, 2026 for federal agencies
Fortinet (CVE-2026-21643)
Priority: CRITICAL
-
Patch: Upgrade to the latest firmware:
- FortiOS 6.4: Upgrade to 6.4.14 or later
- FortiOS 7.0: Upgrade to 7.0.14 or later
- FortiOS 7.2: Upgrade to 7.2.8 or later
- FortiOS 7.4: Upgrade to 7.4.4 or later
- FortiProxy 7.0: Upgrade to 7.0.14 or later
- FortiProxy 7.2: Upgrade to 7.2.8 or later
- FortiProxy 7.4: Upgrade to 7.4.4 or later
- Download: https://customer.fortinet.com/
-
Workaround (if patching delayed): Restrict management interface access:
config system global set admin-sport 8443 end
config firewall local-in-policy edit 1 set intf "port1" set srcaddr "trusted_mgmt_net" set dstaddr "fortigate_local" set action accept set service "HTTPS" next end
-
Verification: Confirm with
get system status
Deadline: May 4, 2026 for federal agencies
Summary
The seven vulnerabilities added to CISA's KEV Catalog represent a significant threat to enterprise environments. The inclusion of legacy CVEs (CVE-2012-1854) alongside recent vulnerabilities demonstrates that threat actors exploit both old and new weaknesses. Immediate remediation is critical—especially for the Fortinet SQL injection vulnerability (CVSS 9.8) and the Microsoft Exchange deserialization flaw (CVSS 8.8), both of which provide remote exploitation capabilities.
Organizations should:
- Prioritize patching of externally-facing systems (Fortinet, Exchange)
- Implement the provided detection rules to identify active exploitation
- Review software lifecycle management for legacy applications
- Consider application control policies to restrict macro and script execution
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment Vulnerability Management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.