CISA Warns of 6 Actively Exploited Flaws in Fortinet, Microsoft & Adobe — What Australian Businesses Must Do Now

On 14 April 2026, the US Cybersecurity and Infrastructure Security Agency added six critical security flaws to its Known Exploited Vulnerabilities catalogue — including a near-perfect CVSS 9.8 SQL injection in Fortinet FortiClient EMS that requires zero authentication to exploit. Australian organisations running these products have days, not weeks, to act.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What Happened: CISA's April 2026 KEV Catalogue Update

Every few weeks, CISA updates its Known Exploited Vulnerabilities (KEV) catalogue — a curated list of security flaws that threat actors are actively weaponising in the wild. Unlike generic vulnerability databases, the KEV catalogue carries real weight: US federal agencies are legally required to patch listed flaws within strict deadlines, and the list serves as an authoritative signal to the broader global security community about which vulnerabilities are being actively exploited right now.

The 14 April update is one of the more alarming in recent memory. The six newly added vulnerabilities span three of the most widely deployed enterprise software platforms in the world — Fortinet, Microsoft, and Adobe — and at least one of them was already being exploited in the wild days before CISA added it to the list.

For Australian businesses, this is not a distant American problem. Fortinet and Microsoft products are deeply embedded in Australian enterprise infrastructure, from government departments to financial services firms to mid-market managed service providers. If your organisation hasn't already begun patching, the clock is ticking.

The Six Vulnerabilities: A Breakdown

CVE-2026-21643 — Fortinet FortiClient EMS (CVSS 9.8: Critical)

This is the headline flaw of the batch, and it deserves your immediate attention. CVE-2026-21643 is a pre-authentication SQL injection vulnerability in Fortinet FortiClient Endpoint Management Server (EMS) version 7.4.4. With a CVSS score of 9.8 — just 0.2 points from the maximum — it sits firmly in "drop everything and patch" territory.

The flaw was introduced in FortiClient EMS 7.4.4 when a single change to the database connection layer replaced safe parameterised queries with raw string interpolation. The result is a textbook SQL injection that an unauthenticated attacker can exploit by sending crafted HTTP requests to the publicly accessible /api/v1/init_consts endpoint. Because this endpoint has no rate-limiting or lockout protections, attackers can rapidly extract the entire management database — including credentials, endpoint configurations, and internal network topology — without ever needing a valid login.

Security researchers at Bishop Fox first disclosed the vulnerability in late March 2026, and independent monitoring services observed active exploitation in the wild within four days of public disclosure. By the time CISA formally added it to the KEV catalogue, real-world attacks were already underway. Fortinet has released a fix in FortiClient EMS 7.4.5, and organisations must patch immediately — CISA's deadline for US federal agencies was 16 April 2026.

CVE-2026-35616 — Fortinet FortiClient EMS (Privilege Escalation)

Compounding the FortiClient EMS situation, a second Fortinet flaw was added to the catalogue in the same update. CVE-2026-35616 is an actively exploited privilege escalation vulnerability in FortiClient EMS that, when chained with CVE-2026-21643, gives an attacker a complete attack path from unauthenticated remote access to full system control. Both vulnerabilities are patched in FortiClient EMS 7.4.5.

CVE-2023-21529 — Microsoft Exchange Server (CVSS 8.8: High)

A deserialization of untrusted data vulnerability in Microsoft Exchange Server that allows an authenticated attacker to achieve remote code execution. While this CVE was originally disclosed in 2023, threat actors are continuing to discover on-premises Exchange deployments that remain unpatched — a perennial problem given the complexity of Exchange upgrade cycles. Australian organisations still running on-premises Exchange infrastructure should treat this as a priority patch.

CVE-2023-36424 — Microsoft Windows Common Log File System Driver (CVSS 7.8: High)

An out-of-bounds read vulnerability in the Windows Common Log File System (CLFS) driver that can be exploited for local privilege escalation. CLFS vulnerabilities have become a recurring theme in ransomware attack chains, where threat actors use them to elevate privileges after gaining an initial foothold through phishing or credential theft. This flaw affects a wide range of Windows versions and should be addressed via standard Windows Update.

Adobe Software Vulnerabilities

Two Adobe product vulnerabilities round out the six. CISA has not published full technical details at time of writing, but Adobe flaws of this nature typically involve arbitrary code execution triggered through malicious document files — PDFs, images, or media files that are opened by end users. These classes of vulnerability are commonly exploited via spear-phishing campaigns, where a targeted employee opens a weaponised file and unknowingly executes attacker-controlled code.

Why This Matters Especially for Australia

Australia has had a difficult few years on the cybersecurity front. The mandatory ransomware reporting regime that came into effect in mid-2025 — requiring businesses with annual turnover above $3 million to report ransomware incidents — has already begun surfacing attacks that would previously have gone unreported. The picture that's emerging is not encouraging.

Fortinet products in particular are a significant part of the Australian enterprise attack surface. FortiGate firewalls and FortiClient endpoint agents are deployed across thousands of Australian businesses, government agencies, and educational institutions. When CISA flags a near-perfect CVSS score Fortinet flaw as being actively exploited, Australian organisations are squarely in the crosshairs — especially since Australian infrastructure is increasingly targeted by both state-sponsored threat groups and financially motivated ransomware operations.

The Qilin ransomware gang, which targeted several Australian companies in 2025, is known to exploit enterprise VPN and endpoint management software as initial access vectors. A pre-authentication SQL injection in a widely deployed endpoint management platform is precisely the type of vulnerability these groups scan for and weaponise at scale.

The Deeper Problem: Enterprise VPN and Endpoint Software as an Attack Surface

The Fortinet vulnerabilities in this batch highlight a structural challenge that security teams have been grappling with for years: enterprise VPN and endpoint management software has become one of the highest-value attack surfaces in modern IT environments. These systems sit at the perimeter of corporate networks, are necessarily exposed to the internet, and — critically — are trusted implicitly once an attacker gains access to them.

For individuals and small business owners who don't operate enterprise-grade Fortinet infrastructure, the lesson is still relevant. The principle is the same: your VPN and your remote access tools are not passive conduits — they are active security products that can themselves become vulnerabilities if they're poorly implemented, unpatched, or misconfigured.

Consumer and SMB-grade VPN products from reputable providers like NordVPN and Surfshark undergo regular independent security audits and push automatic updates to their client software — reducing the window of exposure when vulnerabilities are discovered. Unlike on-premises enterprise software, they don't require your IT team to test, schedule, and deploy patches manually. For Australian freelancers, remote workers, and small businesses, this automated update model is a meaningful security advantage.

What to Do Right Now: An Action Checklist

If You Run Fortinet Products

• Upgrade FortiClient EMS to 7.4.5 immediately. Both CVE-2026-21643 and CVE-2026-35616 are patched in this release. If you cannot upgrade immediately, consider disabling multi-tenant mode and restricting access to the EMS management interface to trusted IP ranges only.
• Audit your FortiGate and FortiClient deployments. Check for any unusual outbound connections or database query anomalies that may indicate the SQL injection flaw was already exploited in your environment.
• Review your network segmentation. If your FortiClient EMS server was exposed to the internet without additional controls, assume a breach posture and involve your incident response team.

If You Run Microsoft Exchange On-Premises

• Apply all pending Exchange security updates. CVE-2023-21529 has a patch — there is no excuse for leaving it unapplied in 2026. If your organisation's Exchange patching cycle is measured in months rather than weeks, that process needs urgent review.
• Consider migrating to Exchange Online. Microsoft's cloud-hosted Exchange eliminates the on-premises patching burden entirely, and the cloud version receives security updates automatically.

For All Windows Users

• Ensure Windows Update is running and current. The CLFS driver vulnerability (CVE-2023-36424) is patched through standard Windows Update. Check that no systems in your environment have deferred or disabled updates.
• Deploy an endpoint detection and response (EDR) solution if you haven't already. CLFS vulnerabilities are frequently used as post-exploitation privilege escalation tools — an EDR can detect this behaviour even when the underlying OS vulnerability hasn't been patched.

For Adobe Product Users

• Update all Adobe software through Creative Cloud or Adobe's official update channels. Never open unsolicited PDF or media files from external sources without scanning them first.
• Train staff to recognise spear-phishing lures — weaponised Adobe file formats are a staple of targeted phishing campaigns.

Protecting Your Credentials After a Potential Breach

One of the most damaging consequences of a successful Fortinet FortiClient EMS exploitation is credential theft. FortiClient EMS stores endpoint agent credentials and can serve as a pivot point into the broader Active Directory environment. If you believe your EMS server may have been compromised, you need to treat all credentials stored or transmitted through that system as potentially stolen.

This is a good moment to revisit your organisation's credential hygiene more broadly. Reusing passwords across systems — even with minor variations — means that a single stolen credential set can unlock multiple systems. A dedicated password manager like NordPass enforces unique, randomly generated passwords for every account and uses zero-knowledge architecture so that even the service provider cannot see your stored credentials. In a post-breach scenario, the ability to quickly identify which credentials were reused across systems — and reset them systematically — is invaluable.

Website Security: Don't Overlook Your Web Presence

For Australian businesses that operate a website alongside their internal infrastructure, this week's CISA warnings are also a timely reminder to check your web security posture. Adobe vulnerabilities, in particular, can be weaponised to compromise websites that use Adobe products or embed Adobe-generated content. Beyond that, threat actors who gain access to internal networks through Fortinet or Exchange vulnerabilities often pivot to defacing or compromising company websites as part of extortion campaigns.

A web application firewall (WAF) like Sucuri provides an additional layer of defence for your web presence — blocking malicious traffic, detecting malware injections, and providing DDoS protection — while also giving you visibility into attack attempts that you might otherwise miss entirely.

The Bottom Line

The CISA KEV catalogue exists precisely because the security industry needs a shared, authoritative signal about which vulnerabilities are being actively exploited right now — not theoretical risks, but real-world attacks happening today. When six flaws spanning Fortinet, Microsoft, and Adobe land on that list in a single update, it represents a broad and urgent threat across the enterprise software stack.

For Australian organisations, the message is clear: patch now, audit your exposure, and don't assume that the patches can wait until the next maintenance window. The Fortinet FortiClient EMS vulnerability in particular — a CVSS 9.8 pre-authentication SQL injection — is the kind of flaw that adversaries have almost certainly already built automated scanning tools around. Every unpatched hour is a window of opportunity for attackers.

The good news is that all six vulnerabilities have patches available. This is a solvable problem — but only if you act quickly.