CISA KEV Update: Six Flaws Added, Including Critical Fortinet SQLi and Adobe RCE

CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog, Targeting Fortinet, Adobe, and Microsoft

HIGH
April 14, 2026
6m read
VulnerabilityPatch Management

Related Entities

Products & Tech

Fortinet FortiClient EMSAdobe Acrobat Reader

CVE Identifiers

CVE-2026-21643
CRITICAL
CVSS:9.1
CVEDetails.com CVE.org
CVE-2020-9715
HIGH
CVSS:7.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1203Execution

Exploitation for Client Execution

T1133Initial Access

External Remote Services

Full Report

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding six security flaws that are being actively exploited by threat actors in the wild. This update serves as a critical warning to all organizations to prioritize patching these specific vulnerabilities. The additions include a critical SQL injection vulnerability in Fortinet FortiClient EMS (CVE-2026-21643) and a remote code execution flaw in Adobe Acrobat Reader (CVE-2020-9715). The inclusion in the KEV catalog mandates that Federal Civilian Executive Branch (FCEB) agencies apply patches by April 27, 2026. Private sector organizations are strongly advised to follow suit to protect their networks from known, active threats.

Vulnerability Details

This KEV update highlights a mix of modern and legacy vulnerabilities across different vendors, demonstrating that attackers will exploit any available weakness.

Fortinet FortiClient EMS SQL Injection

  • CVE ID: CVE-2026-21643
  • CVSS Score: 9.1 (Critical)
  • Vulnerability Type: SQL Injection
  • Affected Product: Fortinet FortiClient Enterprise Management Server (EMS)
  • Impact: An unauthenticated attacker can send a specially crafted HTTP request to a vulnerable server to execute unauthorized code or commands, potentially leading to a full system compromise.

Adobe Acrobat Reader Use-After-Free

  • CVE ID: CVE-2020-9715
  • CVSS Score: 7.8 (High)
  • Vulnerability Type: Use-After-Free
  • Affected Product: Adobe Acrobat Reader
  • Impact: A successful exploit could allow an attacker to execute arbitrary code on a victim's machine by tricking them into opening a malicious PDF file.

The other four vulnerabilities added were not detailed in the source articles but also target widely used software from vendors including Microsoft.

Exploitation Status

By definition, every vulnerability in the KEV catalog has confirmed evidence of active exploitation. The inclusion of CVE-2020-9715, a flaw from 2020, is a stark reminder that attackers have a long memory. They continue to scan for and exploit older, unpatched vulnerabilities, preying on organizations with poor patch management hygiene. The Fortinet flaw, being more recent and critical, is likely being exploited by a wide range of actors, from sophisticated APTs to ransomware groups, to gain initial access to corporate networks.

Impact Assessment

  • Fortinet (CVE-2026-21643): Compromise of a FortiClient EMS server provides a powerful pivot point into a network. An attacker could manage and control endpoints, disable security features, and deploy further malware, including ransomware.
  • Adobe (CVE-2020-9715): Exploitation provides an attacker with a foothold on an end-user workstation. From there, they can engage in lateral movement, credential theft, and data exfiltration.
  • Systemic Risk: The targeting of security and management products (Fortinet EMS) and ubiquitous software (Adobe Reader) indicates that attackers are focusing on high-impact vulnerabilities that provide broad access.

Cyber Observables for Detection

Hunting for exploitation of these vulnerabilities requires log analysis and endpoint monitoring.

For CVE-2026-21643 (Fortinet):

Type Value Description
url_pattern Requests with SQL syntax Monitor FortiClient EMS web logs for HTTP requests containing SQL keywords like UNION, SELECT, char(), or ' in unusual places.
process_name Fms.exe Monitor the main FortiClient EMS process for anomalous behavior, such as spawning shell processes (cmd.exe, powershell.exe).

For CVE-2020-9715 (Adobe):

Type Value Description
process_name AcroRd32.exe Monitor the Adobe Reader process for suspicious child processes, network connections to unknown domains, or attempts to write files to disk.
file_name *.pdf Suspicious PDF files received via email should be opened in a sandboxed environment for analysis.

Detection & Response

  • Vulnerability Scanning: Regularly scan internal and external assets for the presence of these and other vulnerabilities. Use the CISA KEV catalog as a prioritized list for your scanning and remediation efforts.
  • D3FEND: Process Analysis: For the Adobe flaw, use an EDR to monitor the behavior of AcroRd32.exe. It should not be spawning command shells or making unexpected network connections. This is a direct application of D3-PA: Process Analysis.
  • Web Application Firewall (WAF): For the Fortinet flaw, a properly configured WAF could detect and block the malicious HTTP requests containing SQL injection payloads before they reach the server.

Remediation Steps

  1. Prioritize and Patch: Use the KEV catalog as a directive. All vulnerabilities on this list should be at the top of your patch management queue. Apply the updates provided by Fortinet, Adobe, and Microsoft immediately.
  2. Verify Patches: After deployment, run authenticated vulnerability scans to verify that the patches were successfully applied and the vulnerabilities are no longer present.
  3. Risk-Based Patching: Adopt a risk-based approach to vulnerability management. Prioritize patching for internet-facing systems, critical servers, and vulnerabilities known to be actively exploited (i.e., the KEV catalog).
  4. D3FEND: Software Update: The core remediation is to maintain a robust and timely software update process. This is the foundation of defending against vulnerability exploitation and is captured in D3-SU: Software Update.

Timeline of Events

1
April 13, 2026
CISA adds six vulnerabilities to the KEV catalog.
2
April 14, 2026
This article was published
3
April 27, 2026
Deadline for FCEB agencies to patch the newly added vulnerabilities.

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to apply the security patches provided by the vendors for all listed CVEs.

Vulnerability Scanning

M1016enterprise

Use a vulnerability scanner to identify all assets affected by these vulnerabilities and use the KEV catalog to prioritize remediation.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The CISA KEV catalog is a gift to defenders. It provides a clear, prioritized, and actionable list of vulnerabilities that require immediate attention. For CVE-2026-21643 and CVE-2020-9715, the primary and most effective countermeasure is a robust and rapid software update process. Organizations must have an asset inventory that can quickly identify all instances of Fortinet FortiClient EMS and Adobe Acrobat Reader. Upon CISA's announcement, the emergency patching process should be initiated. This involves deploying the vendor-supplied patches to all affected systems, starting with internet-facing servers (for the Fortinet flaw) and high-risk user groups. Patching vulnerabilities listed in the KEV catalog should be treated with the highest urgency, as it is a certainty that threat actors are actively scanning for and exploiting them.

Vulnerability Scanning

D3-VSMaps to MITREM1016
D3FEND

To effectively act on CISA KEV alerts, organizations need a mature vulnerability scanning program. This isn't just about running a scan; it's about integrating the KEV feed into the program's logic. Your vulnerability management platform should be configured to automatically raise the priority of any finding that appears in the KEV catalog. Immediately following the addition of CVE-2026-21643 and CVE-2020-9715, an out-of-band, authenticated scan should be launched against the entire environment, specifically looking for these vulnerabilities. The results should be fed directly into a ticketing system for the teams responsible for patching, with a short, non-negotiable SLA for remediation. This ensures that CISA's intelligence is translated into concrete defensive action as quickly as possible.

Sources & References

CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
The Hacker News (thehackernews.com) April 14, 2026
13th April – Threat Intelligence Report
Check Point Research (research.checkpoint.com) April 13, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CISAKEVVulnerabilityFortinetAdobeMicrosoftCVE-2026-21643CVE-2020-9715Patch Management

📢 Share This Article

Help others stay informed about cybersecurity threats