The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has enhanced its Known Exploited Vulnerabilities (KEV) catalog with seven newly identified security flaws. This update, announced on Monday, highlights key vulnerabilities affecting both Windows and Adobe software.
Windows Vulnerabilities Under the Spotlight
Among the newly added entries are two critical Windows vulnerabilities. The first, tracked as CVE-2023-36424, involves an issue with the Windows common log file driver, which could potentially allow attackers to escalate privileges on affected systems.
Microsoft addressed this security flaw with patches released in November 2023. Detailed technical information and proof-of-concept (PoC) exploit code were made public in the following month, increasing the urgency for organizations to apply these updates.
Another significant Windows vulnerability, CVE-2025-60710, has been identified as a link-following flaw within the Windows Tasks host process, similarly enabling privilege escalation. Patches were made available in November 2025, with PoC code released shortly thereafter.
Adobe and Other Software Vulnerabilities
The KEV catalog update also includes CVE-2020-9715, a use-after-free vulnerability in Adobe Acrobat and Reader, which could lead to arbitrary code execution. Although a patch was issued in August 2020, the availability of PoC code calls for ongoing vigilance.
Further additions to the list are vulnerabilities such as CVE-2023-21529, associated with Microsoft Exchange and linked to the Medusa ransomware group, as well as CVE-2026-34621 and CVE-2026-21643 in Adobe Acrobat and Fortinet FortiClient EMS, which have been exploited as zero-days.
CISA’s Recommendations for Federal Agencies
CISA strongly advises federal agencies to prioritize the application of patches for these vulnerabilities. Most updates should be implemented within a two-week timeframe, except for the Fortinet vulnerability, which has a deadline set for April 16.
This recommendation emphasizes the critical nature of these vulnerabilities and the potential risk they pose if left unaddressed. Organizations are encouraged to act swiftly to mitigate any potential exploitation attempts.
The ongoing updates to the KEV catalog by CISA underline the importance of proactive cybersecurity measures and the need for timely implementation of security patches to protect sensitive data and systems.
In light of these developments, staying informed and responsive to security advisories is crucial for all organizations relying on affected software.
