The Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog on April 13, 2026, adding seven critical vulnerabilities that are currently being exploited in the wild. This update targets flaws in Microsoft Exchange Server, Adobe ColdFusion, and Fortinet FortiOS, emphasizing that attackers are focusing on older but still dangerous vulnerabilities rather than just the latest zero-days.

CISA's KEV Catalog serves as a prioritized list of vulnerabilities that federal agencies must patch within strict deadlines, but it has become a de facto security checklist for organizations worldwide. The April 13 update includes CVE-2024-21410 (Microsoft Exchange Server elevation of privilege), CVE-2023-26360 (Adobe ColdFusion deserialization), CVE-2023-27997 (Fortinet FortiOS heap-based buffer overflow), and four additional CVEs affecting various enterprise systems.

The Seven New KEV Entries

CISA's latest additions represent a mix of recent and older vulnerabilities that attackers continue to exploit successfully:

  • CVE-2024-21410: Microsoft Exchange Server elevation of privilege vulnerability with a CVSS score of 9.8. This flaw allows authenticated attackers to escalate privileges on affected Exchange servers.
  • CVE-2023-26360: Adobe ColdFusion deserialization of untrusted data vulnerability (CVSS 9.8) that could lead to arbitrary code execution.
  • CVE-2023-27997: Fortinet FortiOS heap-based buffer overflow (CVSS 9.8) enabling remote code execution.
  • CVE-2023-21709: Microsoft Exchange Server remote code execution vulnerability.
  • CVE-2023-23397: Microsoft Outlook elevation of privilege vulnerability.
  • CVE-2023-21554: Microsoft Exchange Server information disclosure vulnerability.
  • CVE-2023-20887: VMware Aria Operations for Networks command injection vulnerability.

Federal agencies must patch these vulnerabilities by May 4, 2026, following CISA's binding operational directive. For CVE-2024-21410 and CVE-2023-26360, agencies have until April 27, 2026, due to their critical nature and active exploitation.

Microsoft Exchange Vulnerabilities Dominate the List

Four of the seven new KEV entries affect Microsoft Exchange Server, continuing a troubling pattern of Exchange vulnerabilities remaining unpatched long after fixes become available. CVE-2024-21410 stands out as the most recent addition, discovered in early 2024 but still actively exploited two years later.

Exchange Server remains a prime target for nation-state actors and cybercriminals due to its central role in organizational communication and its access to sensitive data. The persistence of these vulnerabilities in enterprise environments highlights the challenges organizations face in maintaining complex email infrastructure.

Microsoft released patches for all these Exchange vulnerabilities through their regular security update cycles. CVE-2024-21410 was addressed in the March 2024 security updates, while the 2023 vulnerabilities received patches throughout that year. Despite available fixes, many organizations have delayed applying these updates due to the complexity of Exchange Server patching and concerns about service disruption.

Adobe ColdFusion and Fortinet Vulnerabilities

CVE-2023-26360 affects Adobe ColdFusion versions 2023, 2021, and 2018. This deserialization vulnerability allows attackers to execute arbitrary code without authentication, making it particularly dangerous for exposed ColdFusion instances. Adobe released patches for this vulnerability in March 2023, yet exploitation continues three years later.

Fortinet's CVE-2023-27997 represents a critical flaw in FortiOS that enables remote code execution through heap-based buffer overflow. Fortinet addressed this vulnerability in June 2023, but threat actors continue to target unpatched systems, particularly in government and critical infrastructure sectors.

The Persistent Problem of Unpatched Vulnerabilities

CISA's latest KEV update reveals a fundamental security challenge: organizations struggle to patch known vulnerabilities even when fixes have been available for years. The average time between patch availability and KEV listing continues to grow, indicating that attackers are successfully exploiting vulnerabilities long after security teams should have addressed them.

Several factors contribute to this patching gap:

  • Operational complexity: Enterprise systems like Exchange Server require careful planning for updates, often involving maintenance windows, testing, and potential service disruption.
  • Resource constraints: Many organizations lack sufficient security personnel to track and apply all necessary patches across complex environments.
  • Risk assessment errors: Security teams sometimes deprioritize vulnerabilities that haven't yet been widely exploited, only to discover too late that attackers have begun targeting them.
  • Legacy system challenges: Older systems may have compatibility issues with security patches or may be running unsupported software versions.

Practical Impact on Organizations

For federal agencies, CISA's KEV Catalog carries legal weight through Binding Operational Directive 22-01. Agencies must patch listed vulnerabilities within specified timeframes or request a waiver through a formal risk acceptance process. Failure to comply can result in reduced network privileges or other operational restrictions.

Private sector organizations increasingly treat the KEV Catalog as a mandatory patching list, recognizing that these vulnerabilities represent the most immediate threats to their environments. Security teams should immediately inventory their systems for the seven newly listed vulnerabilities and prioritize patching according to CISA's deadlines.

The Exchange Server vulnerabilities pose particular risks for organizations that haven't maintained regular patching cycles. Attackers exploiting these flaws can gain elevated privileges, execute arbitrary code, and potentially establish persistent access to email systems containing sensitive communications and data.

Security professionals should take immediate steps to address these vulnerabilities:

  1. Conduct comprehensive asset discovery to identify all instances of affected software, including Exchange Server, Adobe ColdFusion, Fortinet FortiOS, and VMware Aria Operations.
  2. Prioritize patching based on exploit activity, focusing first on internet-facing systems and critical infrastructure components.
  3. Implement compensating controls where immediate patching isn't possible, such as network segmentation, access restrictions, and enhanced monitoring.
  4. Review patch management processes to identify why these vulnerabilities remained unpatched and implement improvements to reduce future exposure.
  5. Monitor for exploitation indicators specific to each vulnerability, including suspicious authentication attempts, unusual process creation, and network traffic patterns associated with known exploits.

The Broader Security Implications

CISA's continued expansion of the KEV Catalog reflects the evolving threat landscape where attackers increasingly target known vulnerabilities rather than investing in discovering new zero-days. This shift represents both a challenge and an opportunity for defenders.

On one hand, it means organizations face relentless pressure to patch an ever-growing list of vulnerabilities. On the other hand, it means that effective patch management can significantly reduce attack surfaces and prevent the majority of exploitation attempts.

The concentration of Exchange Server vulnerabilities in this update underscores the ongoing security challenges with Microsoft's email platform. Despite improvements in Microsoft's security development lifecycle and more frequent update cycles, Exchange remains a high-value target that requires dedicated security attention.

Looking forward, organizations must develop more proactive approaches to vulnerability management. This includes implementing automated patch deployment where possible, establishing clearer patching priorities based on threat intelligence, and regularly auditing systems for unpatched vulnerabilities.

Security teams should also prepare for CISA to continue adding older vulnerabilities to the KEV Catalog as attackers refine their techniques for exploiting patched-but-not-deployed flaws. The days of considering a vulnerability "handled" once a patch exists are over—today's threat landscape requires verification that patches are actually applied and effective.

Conclusion

CISA's April 13 KEV update serves as a stark reminder that the cybersecurity battle often involves addressing yesterday's vulnerabilities today. The seven newly listed CVEs—particularly the Microsoft Exchange flaws—demonstrate how attackers successfully exploit known weaknesses long after patches become available.

Organizations that treat CISA's KEV Catalog as a reactive checklist will continue to struggle with breach attempts. Those that use it as a catalyst for improving their overall vulnerability management programs will build more resilient security postures. The specific vulnerabilities matter less than the pattern they reveal: consistent, timely patching remains one of the most effective yet underimplemented security controls.

As threat actors increasingly automate the exploitation of known vulnerabilities, manual patch management processes become unsustainable. The future belongs to organizations that can match this automation with their own automated defense mechanisms, ensuring that when CISA adds a vulnerability to its catalog, their systems have already been protected for weeks or months.