📞 (210) 538-3669
[email protected]
US FlagEN Mexico FlagES
Free Consultation
HomeBlog📰 News › Vintage CVEs · April 19, 2026

When 14-Year-Old CVEs Come Back: Microsoft VBA, Fortinet SQLi, and What "Technical Debt as Security Debt" Actually Means

Jordan Polasek · Founder, BVTech LLC · April 19, 2026 · 9 min read

CVE-2012-1854CVE-2026-21643CVE-2023-21529CISA KEVMicrosoft ExchangeFortinet

A strange entry on CISA KEV this week. CVE-2012-1854, a 14-year-old insecure-library-loading vulnerability in Microsoft Visual Basic for Applications, was added on April 13, 2026 alongside five more recent flaws. The vintage exploit is the headline, but the more important addition for Texas SMBs is CVE-2026-21643, a Fortinet FortiClient EMS SQL injection that Microsoft already disclosed is being weaponized by the Storm-1175 threat actor to deliver Medusa ransomware.

Six CVEs total, three of them critical, one of them old enough to vote. Here is the rundown.

1. CVE-2012-1854 — Microsoft VBA Insecure Library Loading (Yes, Really)

CISA KEV added: April 13, 2026 · CVSS: 7.8 (High) · Original disclosure: July 2012

The official Microsoft advisory for this one is from July 2012. Microsoft described it at the time as a small number of "limited, targeted attacks" abusing an insecure library loading flaw in Visual Basic for Applications — the macro engine inside Office documents.

Why is it on CISA KEV in 2026? Because attackers do not always need a zero-day if the old day still works. Plenty of organizations still run versions of Office old enough to be vulnerable, or have archived documents and historic VBA macros that get opened in modern Office and trigger the same legacy code paths. A forensic researcher quoted in The Hacker News coverage put it cleanly: technical debt is security debt that eventually comes due.

For Texas small businesses, the practical implication is twofold:

2. CVE-2026-21643 — Fortinet FortiClient EMS SQL Injection (Medusa Ransomware)

CISA KEV added: April 13, 2026 · CVSS: 9.1 (Critical) · Active ransomware exploitation

A second FortiClient EMS critical in two weeks. This one is a pre-authentication SQL injection — an attacker sends a crafted HTTP request, the EMS console pipes it into a database query, and the attacker gets code execution as the EMS service account.

The bad news: Microsoft disclosed in mid-April that the threat actor it tracks as Storm-1175 has been weaponizing this exact flaw to deliver Medusa ransomware. Defused Cyber detected exploitation attempts as far back as March 24, 2026 — meaning the window between disclosure and weaponization was effectively zero.

If you read last week\’s recap, you already know what I am going to say. Patch immediately. Get the management console off the public internet. The detection guidance Microsoft published is worth running on every Fortinet shop in the state of Texas.

3. CVE-2023-21529 — Microsoft Exchange Server Deserialization (Medusa)

CISA KEV added: April 13, 2026 · CVSS: 8.8 (High) · Active ransomware exploitation

A deserialization-of-untrusted-data flaw in Microsoft Exchange Server, originally patched in February 2023. Same Storm-1175 threat actor, same Medusa payload. The pattern is consistent: a flaw gets disclosed, organizations let the patch slide for two years because Exchange Server upgrades are politically painful, then a ransomware crew dusts off the exploit and starts running it against everyone still on the unpatched build.

If you still run on-premises Microsoft Exchange in 2026 — and there is a long tail of Texas medical and legal offices that do — your patch cadence on Exchange CUs is the most important security control in your environment. Period.

4-6. Adobe Acrobat, Microsoft CLFS, and Microsoft Visual Basic

The remaining three additions are CVE-2020-9715 (Adobe Acrobat Reader use-after-free, RCE), CVE-2023-36424 (Windows Common Log File System Driver out-of-bounds read, privilege escalation), and the VBA one above. None of the three have public reports of active exploitation specifically tied to this KEV add, but CISA has the source intelligence and added them anyway — which is a strong signal in itself.

For Texas SMBs, the answer for these three is the same answer for the other three: keep your patch cadence current. Windows Update for Business or Intune on the endpoint, Adobe Reader auto-update on, Office on current channel. None of this is exotic. Discipline beats cleverness.

The Bigger Lesson

Six CVEs. Three of them old enough to have grandchildren. One of them is being weaponized to deliver ransomware this week.

Texas small businesses do not get breached by zero-days. They get breached because something everyone has been ignoring for two years finally gets noticed by a ransomware crew. The cure is not a fancier security stack. The cure is a written patching schedule that gets followed every month and audited every quarter. That is exactly what an MSP like BVTech is supposed to deliver, and it is exactly what most of the businesses I take over from another provider have never had.

Need a Patching Audit?

If you would like a no-cost review of your current patching posture — Windows, Office, Adobe, network appliances, browsers — call BVTech at (210) 538-3669. I will tell you exactly where you stand against the CISA KEV deadlines, free of charge.

— Jordan Polasek is the Founder and Managing Partner of BVTech LLC, a Texas-based managed IT services provider. He holds AWS and 1Password certifications, the Certified Polysomnographic Technologist credential (CPSGT #294), and won the SuperOps Solo MSP of the Year Award in 2023. Connect with Jordan on LinkedIn or at jordanpolasek.com.

📰 More BVTech News ← All Articles Get Help from Jordan →