CISA KEV Update: Exchange Server, Adobe, MS Windows Exploits

CISA Adds Seven Known Exploited Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog by adding seven new vulnerabilities, confirming active exploitation of these flaws. This update underscores the persistent threat posed by previously identified security weaknesses that malicious actors continue to leverage. According to CISA, these types of vulnerabilities are frequent attack vectors and present significant risks across all sectors, not just federal entities.

The KEV Catalog serves as a critical resource, established under Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. While BOD 22-01 mandates Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by specified due dates, CISA strongly advises all organizations to adopt similar rigorous patching strategies. The inclusion in this catalog signifies that a CVE is actively being exploited, making it an immediate threat that requires prioritised attention from security teams.

Analysis of Notable Vulnerabilities and Their Impact

The seven vulnerabilities added span a range of products and attack types. Among them, several warrant immediate attention due to their potential impact and the severity of the underlying flaw. Here are the vulnerabilities added, along with their reported descriptions:

• CVE-2012-1854: Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability. Despite its age, this flaw continues to be a viable attack vector, highlighting the longevity of certain exploitation techniques.
• CVE-2020-9715: Adobe Acrobat Use-After-Free Vulnerability. This type of flaw can lead to RCE and is a common target for document-based attacks, often delivered via Phishing campaigns.
• CVE-2023-21529: Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability. This vulnerability is particularly critical. Deserialization flaws in a widely deployed product like Microsoft Exchange Server can enable remote code execution, granting attackers significant control over compromised systems and access to sensitive communications. Organizations leveraging Microsoft Exchange Server versions vulnerable to this flaw must treat remediation as an absolute priority to prevent critical infrastructure compromise.
• CVE-2023-36424: Microsoft Windows Out-of-Bounds Read Vulnerability. Such vulnerabilities can lead to information disclosure or denial-of-service conditions, contributing to further exploitation chains.
• CVE-2025-60710: Microsoft Windows Link Following Vulnerability.
• CVE-2026-21643: Fortinet SQL Injection Vulnerability.
• CVE-2026-34621: Adobe Acrobat and Reader Prototype Pollution Vulnerability.

It is notable that some of these CVEs (CVE-2025-60710, CVE-2026-21643, CVE-2026-34621) carry future-dated identifiers, suggesting that they may be pre-disclosed vulnerabilities or represent a forward-looking assessment by CISA of impending threats. While NVD entries and public CVSS scores for these specific identifiers are not yet available, their inclusion in the KEV Catalog signifies CISA’s intelligence on their active exploitation and the urgent need for organisations to prepare for their eventual public disclosure and patching.

The Imperative for Timely Remediation

The inclusion of a vulnerability in CISA’s KEV Catalog serves as a definitive signal that an organization’s exposure to cyberattacks increases significantly if these flaws remain unaddressed. Active exploitation means attackers are already weaponizing these weaknesses, escalating the risk beyond theoretical concern to immediate operational threat. The older vulnerabilities on this list underscore that patch management is not a one-time task but an ongoing, iterative process requiring continuous vigilance.

Actionable Recommendations: How to detect known exploited vulnerabilities and mitigate risks

Defenders must prioritize these KEV Catalog additions within their vulnerability management programs. Here’s a breakdown of essential actions:

• Prioritize Patching: The most direct and effective mitigation for all listed vulnerabilities is to apply vendor-provided patches without delay. This is particularly crucial for systems affected by the Microsoft Exchange Server CVE-2023-21529 deserialization vulnerability mitigation, given its potential for severe impact.
• Automated Patch Management: Implement or enhance automated patching systems to ensure rapid deployment of security updates across the enterprise. Regularly audit these systems for effectiveness.
• Vulnerability Scanning and Assessment: Conduct regular, comprehensive vulnerability scans to identify instances of these and other known exploited flaws within your network. Tools providing asset inventory and vulnerability mapping are essential.
• Network Segmentation and Least Privilege: Adopt Zero Trust principles, segmenting networks to limit the blast radius of any successful exploitation. Enforce least privilege for users and services to restrict lateral movement and privilege escalation opportunities.
• Enhanced Monitoring: Implement robust monitoring capabilities. Use SIEM and EDR solutions to monitor for IoC associated with known exploitation attempts. Pay close attention to logs from affected systems, looking for unusual activity or unauthorized access attempts that could indicate a C2 channel being established.
• Incident Response Planning: Ensure your incident response plan is up-to-date and includes procedures for addressing actively exploited vulnerabilities. Conduct tabletop exercises to test response capabilities.
• Stay Informed: Regularly consult the CISA KEV Catalog for updates. Subscribing to CISA’s advisories ensures your organization remains informed of critical and actively exploited threats.