[{"data":1,"prerenderedAt":134},["ShallowReactive",2],{"article-slug-cisa-adds-six-flaws-to-kev-catalog-including-fortinet-and-adobe":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":15,"entities":16,"cves":36,"sources":45,"events":58,"mitre_techniques":65,"mitre_mitigations":77,"d3fend_countermeasures":87,"iocs":97,"cyber_observables":98,"tags":114,"extract_datetime":116,"article_type":117,"impact_scope":118,"pub_date":49,"reading_time_minutes":133,"createdAt":116,"updatedAt":116},"9061212d-0df0-4fe9-a1f9-bd95447f7b8d","cisa-adds-six-flaws-to-kev-catalog-including-fortinet-and-adobe","CISA KEV Update: Six Flaws Added, Including Critical Fortinet SQLi and Adobe RCE","CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog, Targeting Fortinet, Adobe, and Microsoft","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The list includes a critical SQL injection flaw in Fortinet FortiClient EMS (CVE-2026-21643) with a 9.1 CVSS score, and an older but still targeted use-after-free bug in Adobe Acrobat Reader (CVE-2020-9715). Federal agencies are mandated to patch these flaws by April 27, 2026, and CISA strongly urges all organizations to prioritize these updates to defend against ongoing threats.","## Executive Summary\nThe **[U.S. Cybersecurity and Infrastructure Security Agency (CISA)](https://www.cisa.gov)** has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding six security flaws that are being actively exploited by threat actors in the wild. This update serves as a critical warning to all organizations to prioritize patching these specific vulnerabilities. The additions include a critical SQL injection vulnerability in **[Fortinet](https://www.fortinet.com/)** FortiClient EMS (**[CVE-2026-21643](https://www.cve.org/CVERecord?id=CVE-2026-21643)**) and a remote code execution flaw in **[Adobe](https://www.adobe.com)** Acrobat Reader (**[CVE-2020-9715](https://www.cve.org/CVERecord?id=CVE-2020-9715)**). The inclusion in the KEV catalog mandates that Federal Civilian Executive Branch (FCEB) agencies apply patches by April 27, 2026. Private sector organizations are strongly advised to follow suit to protect their networks from known, active threats.\n\n## Vulnerability Details\nThis KEV update highlights a mix of modern and legacy vulnerabilities across different vendors, demonstrating that attackers will exploit any available weakness.\n\n### Fortinet FortiClient EMS SQL Injection\n-   **CVE ID:** CVE-2026-21643\n-   **CVSS Score:** 9.1 (Critical)\n-   **Vulnerability Type:** SQL Injection\n-   **Affected Product:** Fortinet FortiClient Enterprise Management Server (EMS)\n-   **Impact:** An unauthenticated attacker can send a specially crafted HTTP request to a vulnerable server to execute unauthorized code or commands, potentially leading to a full system compromise.\n\n### Adobe Acrobat Reader Use-After-Free\n-   **CVE ID:** CVE-2020-9715\n-   **CVSS Score:** 7.8 (High)\n-   **Vulnerability Type:** Use-After-Free\n-   **Affected Product:** Adobe Acrobat Reader\n-   **Impact:** A successful exploit could allow an attacker to execute arbitrary code on a victim's machine by tricking them into opening a malicious PDF file.\n\nThe other four vulnerabilities added were not detailed in the source articles but also target widely used software from vendors including Microsoft.\n\n## Exploitation Status\nBy definition, every vulnerability in the KEV catalog has confirmed evidence of active exploitation. The inclusion of **CVE-2020-9715**, a flaw from 2020, is a stark reminder that attackers have a long memory. They continue to scan for and exploit older, unpatched vulnerabilities, preying on organizations with poor patch management hygiene. The Fortinet flaw, being more recent and critical, is likely being exploited by a wide range of actors, from sophisticated APTs to ransomware groups, to gain initial access to corporate networks.\n\n## Impact Assessment\n-   **Fortinet (CVE-2026-21643):** Compromise of a FortiClient EMS server provides a powerful pivot point into a network. An attacker could manage and control endpoints, disable security features, and deploy further malware, including ransomware.\n-   **Adobe (CVE-2020-9715):** Exploitation provides an attacker with a foothold on an end-user workstation. From there, they can engage in lateral movement, credential theft, and data exfiltration.\n-   **Systemic Risk:** The targeting of security and management products (Fortinet EMS) and ubiquitous software (Adobe Reader) indicates that attackers are focusing on high-impact vulnerabilities that provide broad access.\n\n## Cyber Observables for Detection\nHunting for exploitation of these vulnerabilities requires log analysis and endpoint monitoring.\n\n**For CVE-2026-21643 (Fortinet):**\n| Type | Value | Description |\n|---|---|---|\n| url_pattern | Requests with SQL syntax | Monitor FortiClient EMS web logs for HTTP requests containing SQL keywords like `UNION`, `SELECT`, `char()`, or `'` in unusual places. |\n| process_name | `Fms.exe` | Monitor the main FortiClient EMS process for anomalous behavior, such as spawning shell processes (`cmd.exe`, `powershell.exe`). |\n\n**For CVE-2020-9715 (Adobe):**\n| Type | Value | Description |\n|---|---|---|\n| process_name | `AcroRd32.exe` | Monitor the Adobe Reader process for suspicious child processes, network connections to unknown domains, or attempts to write files to disk. |\n| file_name | `*.pdf` | Suspicious PDF files received via email should be opened in a sandboxed environment for analysis. |\n\n## Detection & Response\n- **Vulnerability Scanning:** Regularly scan internal and external assets for the presence of these and other vulnerabilities. Use the CISA KEV catalog as a prioritized list for your scanning and remediation efforts.\n- **D3FEND: Process Analysis:** For the Adobe flaw, use an EDR to monitor the behavior of `AcroRd32.exe`. It should not be spawning command shells or making unexpected network connections. This is a direct application of [`D3-PA: Process Analysis`](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis).\n- **Web Application Firewall (WAF):** For the Fortinet flaw, a properly configured WAF could detect and block the malicious HTTP requests containing SQL injection payloads before they reach the server.\n\n## Remediation Steps\n1.  **Prioritize and Patch:** Use the KEV catalog as a directive. All vulnerabilities on this list should be at the top of your patch management queue. Apply the updates provided by Fortinet, Adobe, and Microsoft immediately.\n2.  **Verify Patches:** After deployment, run authenticated vulnerability scans to verify that the patches were successfully applied and the vulnerabilities are no longer present.\n3.  **Risk-Based Patching:** Adopt a risk-based approach to vulnerability management. Prioritize patching for internet-facing systems, critical servers, and vulnerabilities known to be actively exploited (i.e., the KEV catalog).\n4.  **D3FEND: Software Update:** The core remediation is to maintain a robust and timely software update process. This is the foundation of defending against vulnerability exploitation and is captured in [`D3-SU: Software Update`](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate).","📢 CISA KEV UPDATE: 6 new flaws added, all actively exploited. Includes critical Fortinet SQLi (CVE-2026-21643) and Adobe RCE (CVE-2020-9715). Federal deadline is April 27. Prioritize these patches NOW! #CyberSecurity #PatchTuesday #CISA #KEV","CISA has added six actively exploited vulnerabilities to its KEV catalog, including a critical SQL injection in Fortinet FortiClient EMS (CVE-2026-21643) and a high-severity RCE in Adobe Reader.",[13,14],"Vulnerability","Patch Management","high",[17,21,25,28,31,34],{"name":18,"type":19,"url":20},"CISA","government_agency","https://www.cisa.gov",{"name":22,"type":23,"url":24},"Fortinet","vendor","https://www.fortinet.com/",{"name":26,"type":23,"url":27},"Adobe","https://www.adobe.com",{"name":29,"type":23,"url":30},"Microsoft","https://www.microsoft.com/security",{"name":32,"type":33},"Fortinet FortiClient EMS","product",{"name":35,"type":33},"Adobe Acrobat Reader",[37,42],{"id":38,"cvss_score":39,"kev":40,"severity":41},"CVE-2026-21643",9.1,true,"critical",{"id":43,"cvss_score":44,"kev":40,"severity":15},"CVE-2020-9715",7.8,[46,52],{"url":47,"title":48,"date":49,"friendly_name":50,"website":51},"https://thehackernews.com/2026/04/cisa-adds-6-known-exploited-flaws-in.html","CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software","2026-04-14","The Hacker News","thehackernews.com",{"url":53,"title":54,"date":55,"friendly_name":56,"website":57},"https://research.checkpoint.com/2026/04/13/13th-april-threat-intelligence-report/","13th April – Threat Intelligence Report","2026-04-13","Check Point Research","research.checkpoint.com",[59,62],{"datetime":60,"summary":61},"2026-04-13T00:00:00Z","CISA adds six vulnerabilities to the KEV catalog.",{"datetime":63,"summary":64},"2026-04-27T00:00:00Z","Deadline for FCEB agencies to patch the newly added vulnerabilities.",[66,70,74],{"id":67,"name":68,"tactic":69},"T1190","Exploit Public-Facing Application","Initial Access",{"id":71,"name":72,"tactic":73},"T1203","Exploitation for Client Execution","Execution",{"id":75,"name":76,"tactic":69},"T1133","External Remote Services",[78,83],{"id":79,"name":80,"description":81,"domain":82},"M1051","Update Software","The primary mitigation is to apply the security patches provided by the vendors for all listed CVEs.","enterprise",{"id":84,"name":85,"description":86,"domain":82},"M1016","Vulnerability Scanning","Use a vulnerability scanner to identify all assets affected by these vulnerabilities and use the KEV catalog to prioritize remediation.",[88,93],{"technique_id":89,"technique_name":90,"url":91,"recommendation":92,"mitre_mitigation_id":79},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","The CISA KEV catalog is a gift to defenders. It provides a clear, prioritized, and actionable list of vulnerabilities that require immediate attention. For CVE-2026-21643 and CVE-2020-9715, the primary and most effective countermeasure is a robust and rapid software update process. Organizations must have an asset inventory that can quickly identify all instances of Fortinet FortiClient EMS and Adobe Acrobat Reader. Upon CISA's announcement, the emergency patching process should be initiated. This involves deploying the vendor-supplied patches to all affected systems, starting with internet-facing servers (for the Fortinet flaw) and high-risk user groups. Patching vulnerabilities listed in the KEV catalog should be treated with the highest urgency, as it is a certainty that threat actors are actively scanning for and exploiting them.",{"technique_id":94,"technique_name":85,"url":95,"recommendation":96,"mitre_mitigation_id":84},"D3-VS","https://d3fend.mitre.org/technique/d3f:VulnerabilityScanning","To effectively act on CISA KEV alerts, organizations need a mature vulnerability scanning program. This isn't just about running a scan; it's about integrating the KEV feed into the program's logic. Your vulnerability management platform should be configured to automatically raise the priority of any finding that appears in the KEV catalog. Immediately following the addition of CVE-2026-21643 and CVE-2020-9715, an out-of-band, authenticated scan should be launched against the entire environment, specifically looking for these vulnerabilities. The results should be fed directly into a ticketing system for the teams responsible for patching, with a short, non-negotiable SLA for remediation. This ensures that CISA's intelligence is translated into concrete defensive action as quickly as possible.",[],[99,104,109],{"type":100,"value":101,"description":102,"context":103,"confidence":15},"url_pattern","HTTP requests with encoded SQL commands","Monitor web server logs for FortiClient EMS for requests containing URL-encoded or double-encoded SQL injection payloads.","Web Application Firewall (WAF) logs, web server access logs",{"type":105,"value":106,"description":107,"context":108,"confidence":15},"process_name","AcroRd32.exe","The Adobe Reader process should not spawn child processes like cmd.exe or powershell.exe. This behavior is a strong indicator of successful exploitation of a malicious PDF.","EDR logs, Windows Security Event ID 4688",{"type":110,"value":111,"description":112,"context":113,"confidence":15},"command_line_pattern","Fms.exe spawning child processes","The Fortinet EMS service process (Fms.exe) spawning unexpected child processes could indicate code execution post-exploitation.","EDR logs",[18,115,13,22,26,29,38,43,14],"KEV","2026-04-14T15:00:00.000Z","Advisory",{"geographic_scope":119,"industries_affected":120},"global",[121,122,123,124,125,126,127,128,129,130,131,132],"Healthcare","Finance","Energy","Government","Technology","Manufacturing","Retail","Education","Transportation","Telecommunications","Critical Infrastructure","Defense",6,1776260618300]