CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog, Requiring Federal Action

Executive Summary

On April 20, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that each is being actively exploited in the wild. This action falls under Binding Operational Directive (BOD) 22-01, which mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these flaws within a specified timeframe to protect federal networks. The vulnerabilities span multiple vendors, including Cisco, PaperCut, JetBrains, Kentico, Quest, and Synacor. The diversity of the affected products—from SD-WAN managers to print management software and collaboration suites—underscores the broad attack surface that threat actors are targeting. CISA strongly urges all organizations, not just federal agencies, to review their exposure to these vulnerabilities and prioritize patching immediately to prevent potential compromise.

Vulnerability Details

The eight vulnerabilities added to the KEV catalog represent a variety of attack vectors and impact types. While some are recent, others are older flaws that have seen a resurgence in exploitation.

• Cisco Catalyst SD-WAN Manager: Three vulnerabilities were cited: CVE-2026-20122 (Incorrect Use of Privileged APIs), CVE-2026-20128 (Storing Passwords in a Recoverable Format), and CVE-2026-20133 (Exposure of Sensitive Information to an Unauthorized Actor). These flaws could allow attackers to gain elevated privileges, access sensitive data, or compromise the SD-WAN fabric.
• PaperCut NG/MF: CVE-2023-27351 is an improper authentication vulnerability that can be exploited for remote code execution. Its inclusion highlights that even vulnerabilities from previous years remain a potent threat if left unpatched.
• JetBrains TeamCity: CVE-2024-27199 is a critical relative path traversal vulnerability that can lead to authentication bypass and full server control. TeamCity servers are high-value targets as they control software build and deployment pipelines.
• Kentico Xperience: CVE-2025-2749 is a path traversal vulnerability. Such flaws can allow attackers to read or write arbitrary files on the server, potentially leading to code execution.
• Quest KACE Systems Management Appliance: CVE-2025-32975 is an improper authentication bug, which could allow unauthorized access to the appliance, enabling attackers to manage or compromise connected endpoints.
• Synacor Zimbra Collaboration Suite (ZCS): CVE-2025-48700 is a cross-site scripting (XSS) vulnerability. If exploited, it could allow an attacker to execute malicious scripts in a victim's browser, leading to session hijacking or data theft.

Impact Assessment

The active exploitation of these vulnerabilities poses a significant and immediate risk to organizations. Successful exploitation can lead to a range of severe consequences, including unauthorized network access, privilege escalation, data exfiltration, and deployment of ransomware. For FCEB agencies, failure to comply with the BOD 22-01 directive to patch these flaws can result in being disconnected from the federal network. For private sector organizations, a breach stemming from these vulnerabilities can cause major financial losses, reputational damage, and operational disruption. The targeting of infrastructure management tools like Cisco SD-WAN Manager, JetBrains TeamCity, and Quest KACE is particularly concerning, as a compromise of these systems can provide attackers with broad access to an organization's most critical assets.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Detection & Response

Security teams should immediately take the following steps:

1. Asset Inventory: Use vulnerability scanners and asset management systems to identify all instances of the affected products within the environment.
2. Log Analysis: Scrutinize web server, application, and firewall logs for indicators of exploitation attempts targeting the vulnerabilities. Look for unusual requests, path traversal patterns (../), or unauthorized access attempts related to the affected products. This can be aided by D3FEND Network Traffic Analysis (D3-NTA).
3. Endpoint Detection: Deploy EDR solutions to monitor for post-exploitation activity on servers running the vulnerable software. Look for suspicious process chains, file modifications, or outbound network connections from these systems. Utilize D3FEND Process Analysis (D3-PA) to baseline normal behavior and detect deviations.
4. Threat Hunting: Proactively hunt for signs of compromise using the cyber observables listed above. Query SIEM data for historical evidence of exploitation attempts.

Mitigation

Remediation of these vulnerabilities is critical and should be prioritized.

1. Patch Immediately: The most effective mitigation is to apply the security updates provided by the respective vendors for all identified vulnerabilities. This is a crucial D3FEND Software Update (D3-SU) measure.
2. Restrict Access: If patching is not immediately possible, restrict network access to the management interfaces of the affected systems. Limit access to a small set of authorized administrative workstations and block all access from the public internet. This aligns with D3FEND Network Isolation (D3-NI).
3. Web Application Firewall (WAF): Deploy a WAF with rules designed to block path traversal and cross-site scripting attacks. This can provide a virtual patch and protect against exploitation attempts.
4. Review Accounts and Permissions: For systems that may have been compromised, conduct a full review of all user accounts and permissions, looking for any unauthorized additions or modifications. Implement D3FEND User Account Permissions (D3-UAP) hardening.