CISA Adds 6 Exploited Flaws: Fortinet, Microsoft, Adobe

CISA Adds 6 Known Exploited Vulnerabilities to KEV Catalog

CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with six newly confirmed actively exploited flaws spanning Fortinet, Microsoft, and Adobe products. This is not theoretical risk. These vulnerabilities have confirmed exploitation in the wild, which means federal agencies are under a binding directive to patch them, and private organizations should treat that same deadline as their own.

The KEV catalog exists precisely because vendors issuing advisories and developers ignoring them has become the default cycle. Adding a flaw to KEV breaks that cycle by attaching an official acknowledgment: attackers are already using this.

How These Vulnerabilities Are Being Exploited

Fortinet flaws in this batch follow a familiar pattern. Attackers target perimeter devices, specifically SSL-VPN and FortiOS interfaces, because they sit at the edge of networks with high privilege and often inconsistent patch cadence. Once inside, lateral movement is fast. Fortinet devices are frequently trusted by internal network segments, so a compromised edge device can reach databases, internal APIs, and authentication systems without triggering much noise.

Microsoft vulnerabilities in this update touch components that are deeply embedded in enterprise workflows. Privilege escalation and remote code execution bugs in Windows and associated services remain the most reliable paths for ransomware operators and nation-state actors alike. The attack surface is enormous given how widely these products are deployed.

Adobe flaws, often dismissed as lower severity, are being actively exploited through document-based delivery. PDFs and other Adobe-processed files remain a primary phishing vector. A crafted file sent via email or downloaded from a compromised site can trigger code execution before a user realizes anything went wrong.

What This Means for Your Attack Surface

Developers and security teams running any of these products need to audit their exposure immediately. The risk is not limited to direct exploitation. Vulnerable Fortinet appliances managing remote access can expose your entire internal network. Unpatched Microsoft components on developer workstations or build servers can become entry points that compromise CI/CD pipelines, secrets stores, and production deployments.

Web applications sitting behind vulnerable infrastructure are also indirectly at risk. If an attacker owns the VPN gateway or the server running your app, your application-layer defenses become irrelevant. The perimeter breach sidesteps them entirely.

You can review the full updated KEV catalog at CISA's official KEV list and cross-reference your asset inventory against the listed CVEs.

How to Protect Your Systems Right Now

Patching is the obvious first step but not always immediate. While patches are staged and tested, prioritize these mitigations:

• Fortinet: Restrict management interface access to trusted IP ranges. Disable SSL-VPN if not actively required. Review active sessions for anomalies.
• Microsoft: Apply the relevant security updates through Windows Update or WSUS. Audit privileged accounts for unusual activity.
• Adobe: Update all Adobe Reader and Acrobat installations. Consider enabling Protected Mode and disabling JavaScript in PDF rendering where operationally possible.

Beyond this batch, check your web applications for unrelated but commonly co-exploited vulnerabilities. Running a DAST scan at /scan can surface exposed endpoints and misconfigurations attackers pair with known CVEs to escalate impact.

Patch windows matter less than attackers having a head start. With active exploitation confirmed, every day of delay increases risk.

Why does CISA's KEV catalog matter more than standard CVE advisories? KEV entries have confirmed in-the-wild exploitation, not just theoretical proof-of-concept. That distinction signals immediate, real-world risk rather than potential future risk.

Do these vulnerabilities affect cloud-hosted applications? Yes, indirectly. If your cloud infrastructure uses Fortinet for remote access, or Windows-based servers, the underlying host can be compromised even if your application code is clean.

How quickly do attackers exploit newly listed KEV vulnerabilities? In many cases, exploitation precedes the KEV listing. Once CISA publishes, it often signals that exploitation has already been widespread enough to confirm across multiple incidents.

Run a free automated scan on your web application at VibeWShield and identify vulnerabilities before attackers do.