CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software

CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
嗯，用户让我用中文总结一下这篇文章，控制在100字以内，而且不需要用“文章内容总结”之类的开头。好的，首先我得仔细阅读文章内容。文章主要讲的是美国网络安全和基础设施安全局（CISA）在周一新增了六个安全漏洞到他们的已知被利用漏洞目录中。这些漏洞都有各自的CVE编号和CVSS评分，看起来都是比较严重的。然后，我注意到每个漏洞的具体情况：比如Fortinet FortiClient EMS的SQL注入漏洞，CVSS得分9.1；Adobe Acrobat Reader的内存释放后使用漏洞，得分7.8；还有微软的一些漏洞，比如Windows Common Log File System Driver的越界读取和Exchange Server的反序列化问题。接下来，文章提到CISA之所以加入这些漏洞是因为有证据显示它们正在被积极利用。例如，CVE-2026-21643被Defused Cyber检测到从2026年3月24日开始有攻击尝试。微软也提到一个威胁行为者利用CVE-2023-21529来传播Medusa勒索软件。至于CVE-2012-1854，微软在2012年的公告中提到有限且有针对性的攻击尝试。其他三个漏洞目前还没有公开报告指出它们被利用的情况。最后，FCEB机构需要在2026年4月27日前修复这些漏洞。总结的时候需要涵盖CISA新增六个漏洞、各个漏洞的严重性、部分已被利用的情况以及修复期限。要控制在100字以内，所以得简洁明了。可能会这样组织语言：CISA新增六个高危漏洞至目录，涉及SQL注入、内存错误等；部分已被用于攻击；要求机构在4月前修复。这样既涵盖了主要信息，又符合字数限制。 </think> 美国网络安全机构CISA新增六项高危安全漏洞至已知被利用列表，包括SQL注入、内存错误及特权提升等严重问题；部分漏洞已被用于实际攻击活动；相关机构需于四月底前完成修复以应对威胁。 2026-4-14 05:39:0 Author: thehackernews.com(查看原文) 阅读量:13 收藏

Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added half a dozen security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The list of vulnerabilities is as follows -

CVE-2026-21643 (CVSS score: 9.1) - An SQL injection vulnerability in Fortinet FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CVE-2020-9715 (CVSS score: 7.8) - A use-after-free vulnerability in Adobe Acrobat Reader that could result in remote code execution.
CVE-2023-36424 (CVSS score: 7.8) - An out-of-bounds read vulnerability in Microsoft Windows Common Log File System Driver that could result in privilege escalation.
CVE-2023-21529 (CVSS score: 8.8) - A deserialization of untrusted data in Microsoft Exchange Server that could allow an authenticated attacker to achieve remote code execution.
CVE-2025-60710 (CVSS score: 7.8) - An improper link resolution before file access vulnerability in Host Process for Windows Tasks that could allow an authorized attacker to elevate privileges locally.
CVE-2012-1854 (CVSS score: 7.8) - An insecure library loading vulnerability in Microsoft Visual Basic for Applications (VBA) that could result in remote code execution.

The addition of CVE-2026-21643 to the KEV catalog comes after Defused Cyber said it detected exploitation attempts targeting the flaw since March 24, 2026. Last week, Microsoft revealed that a threat actor it tracks as Storm-1175 has been weaponizing CVE-2023-21529 in attacks to deliver Medusa ransomware.

As for CVE-2012-1854, the Windows makeracknowledged in an advisory released in July 2012 that it's aware of "limited, targeted attacks" attempting to abuse the vulnerability. The exact nature of the attacks is presently unknown.

There are currently no public reports referencing the exploitation of the remaining three vulnerabilities. In light of active attacks, Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by April 27, 2026.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

文章来源: https://thehackernews.com/2026/04/cisa-adds-6-known-exploited-flaws-in.html
如有侵权请联系:admin#unsafe.sh