CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines

CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines Ravie LakshmananApr 21, 2026Network Security / Threat Intelligence The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class. CVE-2024-27199 (CVSS score: 7.3) - A relative path traversal vulnerability in JetBrains TeamCity that could allow an attacker to perform limited admin actions. CVE-2025-2749 (CVSS score: 7.2) - A path traversal vulnerability in Kentico Xperience that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations. CVE-2025-32975 (CVSS score: 10.0) - An improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) that could allow an attacker to impersonate legitimate users without valid credentials.  CVE-2025-48700 (CVSS score: 6.1) - A cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow an attacker to execute arbitrary JavaScript within the user's session, resulting in unauthorized access to sensitive information. CVE-2026-20122 (CVSS score: 5.4) - An incorrect use of privileged APIs vulnerability in Cisco Catalyst SD-WAN Manager that could allow an attacker to upload and overwrite arbitrary files on the affected system and gain vmanage user privileges. CVE-2026-20128 (CVSS score: 7.5) - A storing passwords in a recoverable format vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user. CVE-2026-20133 (CVSS score: 6.5) - An exposure of sensitive information to an unauthorized actor vulnerability in Cisco Catalyst SD-WAN Manager that could allow remote attackers to view sensitive information on affected systems. It's worth noting that CISA added CVE-2024-27198, another flaw impacting on-premise versions of JetBrains TeamCity, to the KEV catalog in March 2024. It's not known at this stage if both vulnerabilities are being exploited together and if the activity is the work of the same threat actor. The exploitation of CVE-2023-27351, on the other hand, was attributed to Lace Tempest in April 2023 in connection with attacks delivering Cl0p and LockBit ransomware families. As for CVE-2025-32975, Arctic Wolf said it observed unknown threat actors weaponizing the bug to target unpatched SMA systems as late last month, although the exact end goals of the campaign remain unknown. Cisco, for its part, also said it became aware of the exploitation of CVE-2026-20122 and CVE-2026-20128 in March 2026. The company has yet to revise its advisory to reflect the in-the-wild abuse of CVE-2026-20133. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been recommended to address the three Cisco vulnerabilities by April 23, 2026, and the rest by May 4, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cisco, cybersecurity, JetBrains, network security, Patch Management, ransomware, Threat Intelligence, vulnerability management Trending News Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released The Hidden Security Risks of Shadow AI in Enterprises Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Your MTTD Looks Great. Your Post-Alert Gap Doesn't Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Load More ▼ Popular Resources Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization Discover Key AI Security Gaps CISOs Face in 2026