Severity: CRITICAL | Source: CISA KEV Catalog | Published: April 13, 2026
The Threat
On April 13, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation of each flaw in the wild. The catalog is not theoretical - inclusion means threat actors are actively weaponizing these bugs against real organizations right now.
Three vulnerabilities stand out for East African organizations:
- CVE-2012-1854 - Microsoft Visual Basic for Applications (VBA) Insecure Library Loading: An old but still-present flaw affecting Microsoft Office products. An attacker can trick a user into opening a malicious document, causing Windows to load a crafted DLL and execute arbitrary code with user-level privileges.
- CVE-2020-9715 - Adobe Acrobat Use-After-Free Vulnerability: Affects Adobe Acrobat and Reader. Exploitation allows remote code execution when a victim opens a malicious PDF - one of the most common document formats in East African government and financial workflows.
- CVE-2023-21528 and additional CVEs: Further flaws in the batch cover widely deployed enterprise software, compounding exposure for organizations running mixed or unpatched environments.
These are not theoretical risks. CISA's KEV listing confirms evidence of active exploitation by threat actors, including state-sponsored groups and ransomware operators.
Impact Assessment for East African Organizations
East Africa's digital landscape makes this alert particularly urgent. Microsoft Office and Adobe Acrobat are the backbone of document workflows across Kenyan government ministries, Ethiopian commercial banks, Somali telecom operators, and Djibouti port authorities. Unpatched versions of these products are widespread, especially in organizations running legacy procurement cycles.
The VBA vulnerability (CVE-2012-1854) is especially dangerous because it can be exploited through a phishing email with a Word or Excel attachment - the single most common initial access vector seen across East African incident reports. A government officer in Addis Ababa or a finance clerk in Nairobi opening a "tender document" or "payment advice" email is all an attacker needs.
The Adobe Acrobat flaw (CVE-2020-9715) targets PDF readers, which are used daily for contracts, regulatory filings, and inter-agency communications. Under the Kenya Data Protection Act (DPA) 2019 and CBK Cybersecurity Guidelines, a breach resulting from a known, unpatched vulnerability exposes financial institutions to significant regulatory liability - not just operational damage.
Organizations in Somalia operating under the Central Bank of Somalia's emerging cybersecurity directives and Ethiopian institutions governed by NBE IT risk frameworks face the same exposure. Ransomware groups actively scan for unpatched systems across the African continent, and response capacity remains limited outside major urban centers.
Immediate Actions - Do These Today
- Audit and patch immediately: Identify all endpoints and servers running unpatched Microsoft Office (VBA-enabled) and Adobe Acrobat/Reader. Cross-reference against the CISA KEV list at cisa.gov/known-exploited-vulnerabilities-catalog. Patching known exploited CVEs is not optional - it is the baseline.
- Disable VBA macros by default: In Microsoft 365 and legacy Office deployments, enforce Group Policy to block VBA macros from running in documents received from external sources. This single control neutralizes CVE-2012-1854 even before patching is complete.
- Force-update Adobe Acrobat and Reader: Push the latest Adobe security updates via your endpoint management platform (SCCM, Intune, or manual deployment). If systems cannot be patched, isolate them from external email and file transfer until they are updated.
- Activate phishing simulations targeting these vectors: Run an immediate tabletop or simulated phishing exercise using malicious PDF and Office document lures. East African staff in finance and procurement are high-value targets for exactly this attack pattern.
- Review your SOC detection rules: Ensure your SIEM has active detection rules for DLL side-loading behavior (CVE-2012-1854) and abnormal Acrobat process spawning (CVE-2020-9715). If you do not have a SOC, this alert is a direct argument for activating managed detection.
DRONGO Recommendation
DRONGO's Vulnerability Management and SOC services are calibrated for the East African threat landscape. We can perform an emergency patch gap assessment against the CISA KEV Catalog, validate your endpoint controls, and activate 24/7 threat monitoring within 48 hours - so you know your exposure before attackers find it first.
Is your organization protected? Request a free security assessment.