嗯,用户让我用中文总结一篇文章,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。好的,我得先仔细看看这篇文章讲了什么。 文章主要讲的是美国网络安全和基础设施安全局(CISA)将Adobe、Fortinet、微软Exchange Server和Windows的一些漏洞加入到他们的已知被利用漏洞目录中。具体来说,提到了几个CVE编号,比如CVE-2026-34621、CVE-2012-1854等,这些漏洞涉及 Prototype Pollution、DLL hijacking、SQL注入等问题。 然后,CISA要求联邦机构在2026年4月27日之前修复这些漏洞,除了CVE-2026-21643要在4月16日前修复。专家还建议私营组织检查目录并修复漏洞。 好的,现在我需要把这些信息浓缩到一百个字以内。要抓住关键点:CISA新增了哪些公司的漏洞,具体的漏洞类型,以及修复的截止日期。 可能的结构是:CISA新增了Adobe、Fortinet、微软的多个高危漏洞至目录,并设定了修复期限。 再检查一下有没有遗漏的重要信息。比如,Adobe Acrobat Reader的Prototype Pollution漏洞和Fortinet的SQL注入漏洞都是比较严重的。还有微软的Exchange Server和Windows的问题。 所以总结的时候要提到这些公司和漏洞类型,并说明CISA设定了修复期限。这样就能在有限的字数内传达主要信息了。 </think> 美国网络安全机构CISA将Adobe、Fortinet、微软Exchange Server和Windows的多个高危漏洞加入已知被利用漏洞目录,并设定修复期限以应对潜在攻击风险。 2026-4-14 07:38:20 Author: securityaffairs.com(查看原文) 阅读量:30 收藏
U.S. CISA adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability
- CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
- CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
- CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
- CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
- CVE-2025-60710 Microsoft Windows Link Following Vulnerability
- CVE-2026-21643 Fortinet SQL Injection Vulnerability
Last week, Adobe released emergency updates to address a critical vulnerability, tracked as CVE-2026-34621 (CVSS score of 8.6), in Adobe Acrobat Reader, which is being actively exploited. The flaw could allow attackers to execute malicious code on affected systems, making prompt patching essential to reduce the risk of compromise.
The vulnerability is an improperly controlled modification of object prototype attributes (‘Prototype Pollution’) that can lead to arbitrary code execution.
CISA also added to the KeV catalog the vulnerability CVE-2012-1854, which is an untrusted search path / DLL hijacking flaw affecting components of Microsoft Office VBA, specifically VBE6.dll used in Office and Visual Basic for Applications.
The third issue added to the catalog is the flaw CVE-2020-9715, which is a use-after-free issue that can lead to arbitrary code execution.
The US agency also added CVE-2026-21643 flaw to the catalog. In February, Fortinet issued an urgent advisory to address a critical FortiClientEMS vulnerability, tracked as CVE-2026-21643 (CVSS score of 9.1).
The vulnerability is an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) issue in FortiClientEMS. An unauthenticated attacker can trigger the flaw to execute unauthorized code or commands via specifically crafted HTTP requests.
A successful attack could give attackers an initial foothold in the target network, enabling lateral movement or malware deployment.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by April 27, 2026, except CVE-2026-21643, which must be addressed by April 16, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh