CISA expanded its Known Exploited Vulnerabilities (KEV) catalog on April 20, 2026, adding eight security flaws spanning enterprise print management, CI/CD platforms, CMS infrastructure, appliance management, email collaboration, and SD-WAN orchestration. All eight carry evidence of active exploitation in the wild. Federal agencies under BOD 22-01 face split deadlines — April 23, 2026 for the Cisco trio, and May 4, 2026 for the remaining five.
CVE-2023-27351 — PaperCut NG/MF | Improper Authentication | CVSS 8.2
An improper authentication flaw in PaperCut NG/MF that allows attackers to bypass authentication via the SecurityRequestFilter class. This is not a new discovery — exploitation has been confirmed in the wild since early 2023. The vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads. The KEV listing signals CISA’s continued monitoring of durable enterprise software threats that persist across patch cycles.
CVE-2024-27199 — JetBrains TeamCity | Relative Path Traversal | CVSS 7.3
A relative path traversal vulnerability in JetBrains TeamCity that enables attackers to execute limited administrative actions without proper authorization. This flaw has been leveraged by attackers since early 2024. CI/CD pipeline infrastructure remains a high-value lateral entry point — compromising TeamCity instances can enable adversaries to manipulate build pipelines and inject malicious artifacts upstream.
CVE-2025-2749 — Kentico Xperience | Path Traversal
A path traversal vulnerability in the Kentico Xperience CMS platform. CISA notes there are no public reports of exploitation for this particular CVE at this time, making it one of the more unusual additions to the catalog — indicating CISA may have received private threat intelligence or observed indicators in monitored federal environments.
CVE-2025-32975 — Quest KACE Systems Management Appliance | Improper Authentication
An improper authentication vulnerability in Quest KACE SMA, a widely deployed endpoint and systems management appliance used in enterprise environments. Arctic Wolf observed malicious activity in customer environments potentially linked to its exploitation as recently as March 2026, though the exact end goals of the campaign remain unknown. KACE appliances with broad device management authority represent a high-value target for lateral movement campaigns.
CVE-2025-48700 — Synacor Zimbra Collaboration Suite (ZCS) | Cross-Site Scripting (Zero-Click)
A zero-click cross-site scripting vulnerability in Zimbra Collaboration Suite. According to the State Special Communications Service of Ukraine, this flaw has been exploited since late September 2025, with CERT-UA tracking the campaign under identifier UAC-0233. Successful compromise allowed attackers to access mailbox contents, including correspondence compiled into TGZ archives, MFA backup codes, application passwords, and the global address book. The zero-click nature of this XSS elevates its risk profile significantly — no user interaction is required to achieve credential and data exfiltration.
CVE-2026-20122 — Cisco Catalyst SD-WAN Manager | Incorrect Use of Privileged APIs
The first of three Cisco Catalyst SD-WAN Manager CVEs in this batch. This vulnerability stems from incorrect use of privileged APIs, enabling an authenticated attacker to escalate privileges or perform unauthorized operations within the SD-WAN management plane. Cisco confirmed active exploitation of this flaw in early March 2026.
CVE-2026-20128 — Cisco Catalyst SD-WAN Manager | Storing Passwords in Recoverable Format
A credential storage flaw in Cisco Catalyst SD-WAN Manager where passwords are stored in a recoverable format — a CWE-257 class weakness that allows attackers who gain initial access to escalate and persist by recovering plaintext or easily reversible credentials. Cisco confirmed active exploitation of this vulnerability alongside CVE-2026-20122 in March 2026.
CVE-2026-20133 — Cisco Catalyst SD-WAN Manager | Sensitive Information Exposure | CVSS 6.5
The most operationally significant of the three Cisco SD-WAN entries. This flaw allows remote, unauthenticated attackers to view sensitive information on affected systems — no login required — making it particularly dangerous for internet-exposed Cisco SD-WAN Manager deployments. Notably, Cisco has yet to revise its own advisory to reflect in-the-wild exploitation, even as CISA has independently confirmed it. The gap between vendor acknowledgment and regulator confirmation is itself a risk governance signal enterprises should not ignore.
Remediation Deadlines (BOD 22-01)
- April 23, 2026 — CVE-2026-20122, CVE-2026-20128, CVE-2026-20133 (Cisco Catalyst SD-WAN Manager)
- May 4, 2026 — CVE-2023-27351, CVE-2024-27199, CVE-2025-2749, CVE-2025-32975, CVE-2025-48700
While BOD 22-01 binding authority applies to Federal Civilian Executive Branch (FCEB) agencies, CISA strongly urges all enterprises to treat the KEV catalog as a prioritized remediation reference.
Analyst Take
This batch cuts across the full enterprise attack surface — print management, source code pipelines, CMS platforms, endpoint appliance management, email infrastructure, and SD-WAN orchestration. The inclusion of CVE-2025-2749 without public exploitation reports is an intelligence signal worth watching. The Cisco SD-WAN cluster — three CVEs, a 72-hour remediation window, and a vendor advisory lag on CVE-2026-20133 — represents the most operationally urgent action item in this release. Organizations running Cisco SD-WAN Manager in internet-exposed configurations should treat this as a Priority 1 response, not a routine patch cycle.
