The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog by including eight new security flaws. This update, announced on Monday, highlights three vulnerabilities affecting Cisco Catalyst SD-WAN Manager, based on current evidence of active exploitation.
Details of the Newly Added Vulnerabilities
The vulnerabilities added to the KEV catalog are significant, with varying CVSS scores indicating their potential impact. Among them is CVE-2023-27351, an improper authentication flaw in PaperCut NG/MF, which could enable attackers to bypass authentication measures. Another notable vulnerability, CVE-2024-27199, involves a path traversal issue in JetBrains TeamCity, potentially allowing limited administrative actions by attackers.
Furthermore, CVE-2025-2749 targets Kentico Xperience with a path traversal vulnerability that might let authenticated users upload arbitrary data. Quest KACE Systems Management Appliance is impacted by CVE-2025-32975, a critical authentication flaw that could lead to user impersonation without valid credentials.
Impact on Cisco and Other Platforms
Several vulnerabilities affect Cisco Catalyst SD-WAN Manager, including CVE-2026-20122, which misuses privileged APIs, allowing unauthorized file uploads. Another, CVE-2026-20128, involves the storage of passwords in a recoverable format, posing a risk of privilege escalation. Additionally, CVE-2026-20133 presents a risk of sensitive data exposure to unauthorized parties.
Synacor Zimbra Collaboration Suite is also affected by CVE-2025-48700, a cross-site scripting issue that could result in unauthorized JavaScript execution within user sessions, compromising sensitive information.
Current Exploitation and Federal Response
The vulnerabilities are actively being exploited, prompting CISA to urge Federal Civilian Executive Branch (FCEB) agencies to address the Cisco vulnerabilities by April 23, 2026, and the rest by May 4, 2026. Past exploits have been linked to threat actors such as Lace Tempest, known for deploying ransomware like Cl0p and LockBit.
Security firm Arctic Wolf has observed unknown actors targeting unpatched Quest KACE systems, though their ultimate objectives remain unclear. Cisco has acknowledged the exploitation of CVE-2026-20122 and CVE-2026-20128 but has yet to update advisories concerning CVE-2026-20133.
These developments underscore the importance of timely security updates and vigilance against potential cyber threats. Organizations are encouraged to prioritize patching and monitoring to mitigate these risks effectively.
