Between April 13 and April 15, CISA added nine vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active, real-world exploitation. According to CISA's official alerts, the additions span multiple vendors: Fortinet, Microsoft Exchange, and Adobe software are all represented in the latest batch.
The Hacker News reported that six of these flaws require federal civilian executive branch (FCEB) patching by April 27, 2026—a hard deadline that signals CISA's assessment of immediate risk to critical systems. This compressed timeline is not routine; it indicates active threat actor activity against these specific vulnerabilities in operational environments.
Why this matters: The KEV Catalog is CISA's official record of vulnerabilities being exploited in the wild. When a flaw lands here, it means defenders have shifted from theoretical risk to confirmed, documented compromise. The presence of both commodity vendors (Fortinet networking equipment, Microsoft Exchange) and application-layer software (Adobe) suggests attackers are working across multiple attack surfaces—network perimeter, email infrastructure, and user-facing applications.
The April 27 deadline for federal systems creates a known decision point. Organizations outside the federal space should not treat that date as their own deadline; however, it does suggest CISA assesses the threat window as measurable in days, not weeks. That timing pressure typically reflects active exploitation campaigns already underway.
What to watch: Monitor CISA's KEV Catalog directly over the next 10 days. Additional entries in this same window—particularly if they affect similar infrastructure (networking, email, collaboration tools)—would suggest a coordinated campaign rather than isolated exploitation. Watch for vendor advisories containing patch deployment guidance specific to known-exploited flaws; prioritize those over routine updates. If your organization runs any Fortinet, Exchange, or Adobe products, cross-reference your asset inventory against the specific CVE identifiers CISA has flagged.
