John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
CISA updated its Known Exploited Vulnerabilities catalog with seven new entries. All seven have confirmed active exploitation. Exchange Server, Fortinet FortiOS, legacy Windows components, Adobe Acrobat. Not a narrow batch.
One of them was first patched in 2012.
CVE-2012-1854 is a Microsoft Visual flaw. It’s fourteen years old. CISA doesn’t add things to the KEV catalog speculatively. Inclusion means confirmed active exploitation. Which means, right now in 2026, someone’s environment is running a vulnerability Microsoft fixed during the Obama administration, and attackers found it.
The Exchange Server entry deserves specific attention. CVE-2023-21529 is showing up in ransomware-access workflows. Exchange has been a perennial entry point going back to ProxyLogon and ProxyShell. If you have Exchange exposed to the internet and this one’s unpatched, you’re on a list.
The 2012 flaw isn’t old because Microsoft forgot to fix it. It’s old because somebody’s environment never got the update. A server that “still works fine.” A legacy Windows instance that predates your current patch tooling. Something that got deployed for one project and never decommissioned. Every organization has some version of this problem. Attackers have been patient about it.
Qualys analysis of a billion KEV remediation records found that average time-to-exploit for serious vulnerabilities has dropped to negative seven days. Adversaries weaponizing new bugs before patches even exist, while decade-old CVEs stay alive because the backlog never got cleared. Both directions at once.
Internet-facing systems first. Exchange, Fortinet FortiOS, anything with a public IP. Then legacy Windows that’s off support lifecycle. Then do your asset inventory, because you can’t patch what isn’t in your records.
The 2012 CVE is still being exploited in 2026 because the systems are still out there.
Get the full seven-CVE breakdown and what each one means for your environment.