[{"data":1,"prerenderedAt":165},["ShallowReactive",2],{"article-slug-cisa-adds-eight-actively-exploited-vulnerabilities-to-kev-catalog":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":51,"sources":69,"events":81,"mitre_techniques":85,"mitre_mitigations":105,"d3fend_countermeasures":123,"iocs":124,"cyber_observables":125,"tags":148,"extract_datetime":154,"article_type":155,"impact_scope":156,"pub_date":73,"reading_time_minutes":164,"createdAt":154,"updatedAt":154},"b44bb6f4-1363-4079-8b25-13b99d42d545","cisa-adds-eight-actively-exploited-vulnerabilities-to-kev-catalog","CISA Mandates Urgent Patching for Eight Actively Exploited Flaws in Cisco, JetBrains, and More","CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog, Requiring Federal Action","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding eight new security flaws affecting a range of enterprise products. The vulnerabilities, found in software from Cisco, PaperCut, JetBrains, Kentico, Quest, and Synacor, are confirmed to be under active exploitation. This action mandates that Federal Civilian Executive Branch (FCEB) agencies apply patches by a specified deadline to mitigate significant risk. The additions include critical issues such as improper authentication, path traversal, and exposure of sensitive information, highlighting a persistent threat to both public and private sector networks. CISA strongly advises all organizations to prioritize the remediation of these vulnerabilities to defend against ongoing cyberattacks.","## Executive Summary\nOn April 20, 2026, the **[U.S. Cybersecurity and Infrastructure Security Agency (CISA)](https://www.cisa.gov)** added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that each is being actively exploited in the wild. This action falls under Binding Operational Directive (BOD) 22-01, which mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these flaws within a specified timeframe to protect federal networks. The vulnerabilities span multiple vendors, including **[Cisco](https://www.cisco.com/)**, **[PaperCut](https://www.papercut.com/)**, **[JetBrains](https://www.jetbrains.com/)**, Kentico, Quest, and Synacor. The diversity of the affected products—from SD-WAN managers to print management software and collaboration suites—underscores the broad attack surface that threat actors are targeting. CISA strongly urges all organizations, not just federal agencies, to review their exposure to these vulnerabilities and prioritize patching immediately to prevent potential compromise.\n\n## Vulnerability Details\nThe eight vulnerabilities added to the KEV catalog represent a variety of attack vectors and impact types. While some are recent, others are older flaws that have seen a resurgence in exploitation.\n\n- **[Cisco](https://www.cisco.com/) Catalyst SD-WAN Manager:** Three vulnerabilities were cited: **CVE-2026-20122** (Incorrect Use of Privileged APIs), **CVE-2026-20128** (Storing Passwords in a Recoverable Format), and **CVE-2026-20133** (Exposure of Sensitive Information to an Unauthorized Actor). These flaws could allow attackers to gain elevated privileges, access sensitive data, or compromise the SD-WAN fabric.\n- **[PaperCut](https://www.papercut.com/) NG/MF:** **CVE-2023-27351** is an improper authentication vulnerability that can be exploited for remote code execution. Its inclusion highlights that even vulnerabilities from previous years remain a potent threat if left unpatched.\n- **[JetBrains](https://www.jetbrains.com/) TeamCity:** **CVE-2024-27199** is a critical relative path traversal vulnerability that can lead to authentication bypass and full server control. TeamCity servers are high-value targets as they control software build and deployment pipelines.\n- **Kentico Xperience:** **CVE-2025-2749** is a path traversal vulnerability. Such flaws can allow attackers to read or write arbitrary files on the server, potentially leading to code execution.\n- **Quest KACE Systems Management Appliance:** **CVE-2025-32975** is an improper authentication bug, which could allow unauthorized access to the appliance, enabling attackers to manage or compromise connected endpoints.\n- **Synacor Zimbra Collaboration Suite (ZCS):** **CVE-2025-48700** is a cross-site scripting (XSS) vulnerability. If exploited, it could allow an attacker to execute malicious scripts in a victim's browser, leading to session hijacking or data theft.\n\n## Impact Assessment\nThe active exploitation of these vulnerabilities poses a significant and immediate risk to organizations. Successful exploitation can lead to a range of severe consequences, including unauthorized network access, privilege escalation, data exfiltration, and deployment of ransomware. For FCEB agencies, failure to comply with the BOD 22-01 directive to patch these flaws can result in being disconnected from the federal network. For private sector organizations, a breach stemming from these vulnerabilities can cause major financial losses, reputational damage, and operational disruption. The targeting of infrastructure management tools like Cisco SD-WAN Manager, JetBrains TeamCity, and Quest KACE is particularly concerning, as a compromise of these systems can provide attackers with broad access to an organization's most critical assets.\n\n## Cyber Observables — Hunting Hints\nThe following patterns may help identify vulnerable or compromised systems:\n\n| Type | Value | Description |\n|---|---|---|\n| url_pattern | `/SETUP/papercut-updates.php` | Potential exploitation attempts against PaperCut CVE-2023-27351. |\n| url_pattern | `/app/rest/users/id:1/tokens/RPC2` | Known exploitation path for JetBrains TeamCity CVE-2024-27199. |\n| process_name | `TeamCity_server.exe` | Monitor for anomalous child processes spawned by the main TeamCity process. |\n| log_source | `SD-WAN Manager Logs` | Review logs for unauthorized API calls or configuration changes related to CVE-2026-20122. |\n| file_path | `Zimbra/conf/` | Monitor for unexpected modifications to Zimbra configuration files. |\n\n## Detection & Response\nSecurity teams should immediately take the following steps:\n1.  **Asset Inventory:** Use vulnerability scanners and asset management systems to identify all instances of the affected products within the environment.\n2.  **Log Analysis:** Scrutinize web server, application, and firewall logs for indicators of exploitation attempts targeting the vulnerabilities. Look for unusual requests, path traversal patterns (`../`), or unauthorized access attempts related to the affected products. This can be aided by **[D3FEND Network Traffic Analysis (D3-NTA)](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis)**.\n3.  **Endpoint Detection:** Deploy EDR solutions to monitor for post-exploitation activity on servers running the vulnerable software. Look for suspicious process chains, file modifications, or outbound network connections from these systems. Utilize **[D3FEND Process Analysis (D3-PA)](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis)** to baseline normal behavior and detect deviations.\n4.  **Threat Hunting:** Proactively hunt for signs of compromise using the cyber observables listed above. Query SIEM data for historical evidence of exploitation attempts.\n\n## Mitigation\nRemediation of these vulnerabilities is critical and should be prioritized.\n1.  **Patch Immediately:** The most effective mitigation is to apply the security updates provided by the respective vendors for all identified vulnerabilities. This is a crucial **[D3FEND Software Update (D3-SU)](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate)** measure.\n2.  **Restrict Access:** If patching is not immediately possible, restrict network access to the management interfaces of the affected systems. Limit access to a small set of authorized administrative workstations and block all access from the public internet. This aligns with **[D3FEND Network Isolation (D3-NI)](https://d3fend.mitre.org/technique/d3f:NetworkIsolation)**.\n3.  **Web Application Firewall (WAF):** Deploy a WAF with rules designed to block path traversal and cross-site scripting attacks. This can provide a virtual patch and protect against exploitation attempts.\n4.  **Review Accounts and Permissions:** For systems that may have been compromised, conduct a full review of all user accounts and permissions, looking for any unauthorized additions or modifications. Implement **[D3FEND User Account Permissions (D3-UAP)](https://d3fend.mitre.org/technique/d3f:UserAccountPermissions)** hardening.","🚨 CISA adds 8 actively exploited vulnerabilities to its KEV catalog! Flaws in Cisco, PaperCut, & JetBrains products require urgent patching. Federal agencies are mandated to remediate, and all orgs are strongly urged to act now. #KEV #CyberSecurity #PatchNow","CISA has added eight new actively exploited vulnerabilities to its KEV catalog, affecting products from Cisco, PaperCut, and JetBrains. Learn about the CVEs and CISA's patching mandate.",[13,14,15],"Vulnerability","Patch Management","Threat Intelligence","critical",[18,22,26,29,32,34,36,38,41,43,45,47,49],{"name":19,"type":20,"url":21},"U.S. Cybersecurity and Infrastructure Security Agency (CISA)","government_agency","https://www.cisa.gov",{"name":23,"type":24,"url":25},"Cisco","vendor","https://www.cisco.com/",{"name":27,"type":24,"url":28},"PaperCut","https://www.papercut.com/",{"name":30,"type":24,"url":31},"JetBrains","https://www.jetbrains.com/",{"name":33,"type":24},"Kentico",{"name":35,"type":24},"Quest",{"name":37,"type":24},"Synacor",{"name":39,"type":40},"Cisco Catalyst SD-WAN Manager","product",{"name":42,"type":40},"PaperCut NG/MF",{"name":44,"type":40},"JetBrains TeamCity",{"name":46,"type":40},"Kentico Xperience",{"name":48,"type":40},"Quest KACE Systems Management Appliance",{"name":50,"type":40},"Synacor Zimbra Collaboration Suite",[52,55,57,59,61,63,65,67],{"id":53,"kev":54},"CVE-2026-20122",true,{"id":56,"kev":54},"CVE-2026-20128",{"id":58,"kev":54},"CVE-2026-20133",{"id":60,"kev":54},"CVE-2023-27351",{"id":62,"kev":54},"CVE-2024-27199",{"id":64,"kev":54},"CVE-2025-2749",{"id":66,"kev":54},"CVE-2025-32975",{"id":68,"kev":54},"CVE-2025-48700",[70,76],{"url":71,"title":72,"date":73,"friendly_name":74,"website":75},"https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog","CISA Adds Eight Known Exploited Vulnerabilities to Catalog","2026-04-20","CISA","cisa.gov",{"url":77,"title":78,"date":73,"friendly_name":79,"website":80},"https://www.securityweek.com/cisa-adds-8-new-vulnerabilities-to-kev-catalog/","CISA Warns of Active Exploitation, Adds Eight Flaws to KEV Catalog","SecurityWeek","securityweek.com",[82],{"datetime":83,"summary":84},"2026-04-20T00:00:00Z","CISA adds eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.",[86,90,94,98,102],{"id":87,"name":88,"tactic":89},"T1190","Exploit Public-Facing Application","Initial Access",{"id":91,"name":92,"tactic":93},"T1068","Exploitation for Privilege Escalation","Privilege Escalation",{"id":95,"name":96,"tactic":97},"T1078","Valid Accounts","Defense Evasion",{"id":99,"name":100,"tactic":101},"T1212","Exploitation for Credential Access","Credential Access",{"id":103,"name":104,"tactic":89},"T1133","External Remote Services",[106,111,115,119],{"id":107,"name":108,"description":109,"domain":110},"M1051","Update Software","Applying vendor-supplied patches is the most direct way to remediate these vulnerabilities.","enterprise",{"id":112,"name":113,"description":114,"domain":110},"M1035","Limit Access to Resource Over Network","Restrict access to the management interfaces of affected applications to only trusted IP addresses and internal networks.",{"id":116,"name":117,"description":118,"domain":110},"M1047","Audit","Implement robust logging and monitoring for affected applications to detect and alert on potential exploitation attempts.",{"id":120,"name":121,"description":122,"domain":110},"M1021","Restrict Web-Based Content","Use a Web Application Firewall (WAF) to filter malicious requests like path traversal and XSS before they reach the application.",[],[],[126,132,136,142],{"type":127,"value":128,"description":129,"context":130,"confidence":131},"url_pattern","/SETUP/papercut-updates.php","Known exploitation path for PaperCut NG/MF Improper Authentication (CVE-2023-27351).","Web server access logs, WAF logs.","high",{"type":127,"value":133,"description":134,"context":135,"confidence":131},"/app/rest/users/id:1/tokens/RPC2","Exploitation attempt against JetBrains TeamCity Authentication Bypass (CVE-2024-27199) to create admin tokens.","Web server access logs.",{"type":137,"value":138,"description":139,"context":140,"confidence":141},"log_source","Cisco SD-WAN vManage Logs","Monitor for unauthorized API calls or configuration changes related to CVE-2026-20122.","SIEM, Log Management Platform.","medium",{"type":143,"value":144,"description":145,"context":146,"confidence":147},"command_line_pattern","whoami /priv","Post-exploitation command often run after privilege escalation on Windows systems, which could follow exploitation of Quest KACE.","EDR logs, Windows Event ID 4688.","low",[149,74,150,151,152,153],"KEV","Vulnerability Management","Patching","Active Exploitation","BOD 22-01","2026-04-20T15:00:00.000Z","Advisory",{"geographic_scope":157,"industries_affected":158,"other_affected":162},"global",[159,160,161],"Government","Technology","Education",[163],"Users of Cisco, PaperCut, JetBrains, Kentico, Quest, and Synacor products",5,1776724679546]