CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines - The Hacker News

CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines Ravie LakshmananApr 21, 2026Network Security / Threat Intelligence The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class. CVE-2024-27199 (CVSS score: 7.3) - A relative path traversal vulnerability in JetBrains TeamCity that could allow an attacker to perform limited admin actions. CVE-2025-2749 (CVSS score: 7.2) - A path traversal vulnerability in Kentico Xperience that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations. CVE-2025-32975 (CVSS score: 10.0) - An improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) that could allow an attacker to impersonate legitimate users without valid credentials.  CVE-2025-48700 (CVSS score: 6.1) - A cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow an attacker to execute arbitrary JavaScript within the user's session, resulting in unauthorized access to sensitive information. CVE-2026-20122 (CVSS score: 5.4) - An incorrect use of privileged APIs vulnerability in Cisco Catalyst SD-WAN Manager that could allow an attacker to upload and overwrite arbitrary files on the affected system and gain vmanage user privileges. CVE-2026-20128 (CVSS score: 7.5) - A storing passwords in a recoverable format vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user. CVE-2026-20133 (CVSS score: 6.5) - An exposure of sensitive information to an unauthorized actor vulnerability in Cisco Catalyst SD-WAN Manager that could allow remote attackers to view sensitive information on affected systems. It's worth noting that CISA added CVE-2024-27198, another flaw impacting on-premise versions of JetBrains TeamCity, to the KEV catalog in March 2024. It's not known at this stage if both vulnerabilities are being exploited together and if the activity is the work of the same threat actor. The exploitation of CVE-2023-27351, on the other hand, was attributed to Lace Tempest in April 2023 in connection with attacks delivering Cl0p and LockBit ransomware families. As for CVE-2025-32975, Arctic Wolf said it observed unknown threat actors weaponizing the bug to target unpatched SMA systems as late last month, although the exact end goals of the campaign remain unknown. According to the Computer Emergency Response Team of Ukraine (CERT-UA), a threat actor known as UAC-0233 has exploited two vulnerabilities in ZCS (CVE-2025-48700 and CVE-2025-66376) in attacks aimed at Ukrainian entities since September 2025, allowing it to execute arbitrary code without requiring any user interaction. CVE-2025-66376 was added to the CISA KEV catalog in mid-March 2026. "Upon successful compromise, the attackers gained access to mailbox contents, including correspondence compiled into a TGZ archive, multi-factor authentication backup codes, application passwords, and the global address book," CERT-UA noted in its H2 2025 report published earlier this month. "This activity is tracked under identifier UAC-0250." Cisco, for its part, also said it became aware of the exploitation of CVE-2026-20122 and CVE-2026-20128 in March 2026. The company has yet to revise its advisory to reflect the in-the-wild abuse of CVE-2026-20133. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been recommended to address the three Cisco vulnerabilities by April 23, 2026, and the rest by May 4, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  CISA, cisco, cybersecurity, JetBrains, network security, Patch Management, ransomware, Threat Intelligence, vulnerability management ⚡ Top Stories This Week MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Developer Workstations Are Now Part of the Software Supply Chain Microsoft Warns of Two Actively Exploited Defender Vulnerabilities Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws The New Phishing Click: How OAuth Consent Bypasses MFA ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Load More ▼ ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Get Key Identity Security Insights From 2026 Snapshot [Guide] Learn to Detect AI Typosquatting Risks in Your Domain Discover How to Navigate the Era of Constant Cyber Exposure