CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines

What’s new: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three affecting Cisco Catalyst SD-WAN Manager. Active exploitation of these vulnerabilities has been confirmed. The vulnerabilities include:

• CVE-2023-27351 (CVSS 8.2) – Improper authentication in PaperCut NG/MF.
• CVE-2024-27199 (CVSS 7.3) – Path traversal in JetBrains TeamCity.
• CVE-2025-2749 (CVSS 7.2) – Path traversal in Kentico Xperience.
• CVE-2025-32975 (CVSS 10.0) – Improper authentication in Quest KACE SMA.
• CVE-2025-48700 (CVSS 6.1) – Cross-site scripting in Synacor Zimbra Collaboration Suite.
• CVE-2026-20122 (CVSS 5.4) – Incorrect use of privileged APIs in Cisco Catalyst SD-WAN Manager.
• CVE-2026-20128 (CVSS 7.5) – Storing passwords in recoverable format in Cisco Catalyst SD-WAN Manager.
• CVE-2026-20133 (CVSS 6.5) – Exposure of sensitive information in Cisco Catalyst SD-WAN Manager.

Who’s affected

Organizations using PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager are at risk due to these vulnerabilities.

What to do

• Federal Civilian Executive Branch (FCEB) agencies should address the Cisco vulnerabilities (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) by April 23, 2026.
• All other vulnerabilities should be mitigated by May 4, 2026.

Sources

• The Hacker News