The US cybersecurity agency CISA on Monday expanded its Known Exploited Vulnerabilities (KEV) catalog with seven vulnerabilities, including two Windows bugs.
Tracked as CVE-2023-36424, the first of the Windows flaws is described as a common log file driver issue that could lead to privilege escalation.
Microsoft released patches for the vulnerability in November 2023, and technical details and proof-of-concept (PoC) code targeting it were published the next month.
The second Windows weakness added to the KEV list is CVE-2025-60710, described as a link-following vulnerability in the host process for Windows Tasks that could be exploited for privilege escalation.
Patches for the security defect were released in November 2025, and PoC exploit code was made available shortly after.
There appear to be no reports of these flaws being exploited in the wild prior to CISA’s warning. The same applies to CVE-2020-9715, a use-after-free bug in Adobe Acrobat and Reader leading to arbitrary code execution.
The bug was patched in August 2020, and PoC code targeting it has been publicly available for years.
On Monday, CISA also added to the KEV list CVE-2023-21529, an Exchange weakness flagged as exploited by Microsoft last week in a report detailing the Medusa ransomware gang’s recent activity.
Other new additions to the KEV list include CVE-2026-34621 and CVE-2026-21643, recently disclosed issues in Adobe Acrobat and Reader, and Fortinet FortiClient EMS that have been exploited as zero-days. Both defects allow remote attackers to execute arbitrary code on vulnerable systems.
Additionally, CISA warned that CVE-2012-1854, an insecure library-loading vulnerability in Microsoft Visual Basic for Applications that enables remote code execution (RCE), has been in attackers’ crosshairs.
The security defect was patched in November 2012, when Microsoft warned that it had been exploited in the wild as a zero-day.
CISA urges federal agencies to apply fixes for these vulnerabilities within two weeks, except for the Fortinet bug, which should be patched by April 16.
Related: Critical Marimo Flaw Exploited Hours After Public Disclosure
Related: TrueConf Zero-Day Exploited in Asian Government Attacks
Related: React2Shell Exploited in Large-Scale Credential Harvesting Campaign
Related: F5 BIG-IP DoS Flaw Upgraded to Critical RCE, Now Exploited in the Wild
