Dateline: April 14, 2026
Introduction
The U.S. Cybersecurity and Infrastructure Security Agency added six security vulnerabilities to its Known Exploited Vulnerabilities catalog Monday, warning that attackers are actively targeting flaws in software from Fortinet, Microsoft, and Adobe. The KEV catalog serves as a priority list for organizations that need to patch the most dangerous security holes first.
What Happened?
CISA’s latest update brings the total number of cataloged vulnerabilities to over 1,200 known exploited flaws. The agency requires federal agencies to patch KEV-listed vulnerabilities within specific timeframes, typically 14 to 21 days depending on the severity and exploitation evidence.
The newly added vulnerabilities span multiple product categories. Fortinet’s security appliances, Microsoft’s widely deployed software suite, and Adobe’s creative applications all face active exploitation campaigns. CISA bases KEV additions on concrete evidence of real-world attacks rather than theoretical threat assessments.
Federal agencies must now prioritize patching these six vulnerabilities ahead of thousands of other known security flaws. Private organizations, while not bound by CISA’s mandates, often use the KEV catalog as a roadmap for their own patching priorities.
The timing coincides with increased scrutiny on software supply chain security. Recent high-profile attacks have highlighted how vulnerabilities in widely used software can cascade across entire industries when left unpatched.
The Impact
Organizations running affected Fortinet, Microsoft, and Adobe software face immediate risk from ongoing attack campaigns. The KEV designation signals that these aren’t theoretical vulnerabilities but active attack vectors that cybercriminals and nation-state actors are already exploiting in the wild.
For federal agencies, the clock starts ticking immediately. Missing CISA’s patching deadlines can trigger compliance violations and increase an organization’s exposure during security audits. Private companies, especially those in critical infrastructure sectors, face similar pressure to act quickly.
The software vendors affected serve millions of users worldwide. Microsoft’s enterprise software runs on countless corporate networks. Fortinet’s security appliances protect network perimeters at major organizations. Adobe’s creative suite dominates professional design workflows. Vulnerabilities in these platforms create attack opportunities across entire industry verticals.
How to Avoid This
IT administrators should immediately check their environments for the six newly flagged products and versions. Download patches directly from vendor security advisories rather than waiting for automatic update systems that might lag behind critical fixes.
Prioritize these CISA-flagged vulnerabilities over routine patching schedules. The KEV catalog represents active threats, not future possibilities. Test patches in staging environments when possible, but don’t let testing delays extend exposure to active exploitation.
Organizations without dedicated security teams should consider the KEV catalog a monthly reference point. Subscribe to CISA’s alerts and vendor security bulletins to stay current on emerging threats. Small businesses can use managed security services to handle critical patching when internal resources fall short.
