CISA KEV Update: Eight New Actively Exploited Flaws in Enterprise Tools

CISA’s latest move is a reminder that the Known Exploited Vulnerabilities (KEV) Catalog remains one of the most operationally important signals in federal cybersecurity. On April 20, 2026, the agency added eight more CVEs tied to active exploitation, spanning print management, endpoint management, collaboration software, and Cisco SD-WAN infrastructure. That mix matters: it shows attackers are still happy to exploit older, well-understood enterprise platforms when those systems remain exposed, unpatched, or poorly segmented. The practical message is blunt: if a vulnerability lands in KEV, it is no longer theoretical risk; it is a live problem. CISA’s catalog framework, created under BOD 22-01, is designed to push agencies and critical organizations toward action, not discussion.

Overview​

The KEV Catalog was built to solve a familiar security problem: organizations often know a vulnerability exists, but they do not know which ones matter first. BOD 22-01 made the answer simpler by defining a living list of vulnerabilities that CISA has determined are being actively exploited and therefore pose significant risk to the federal enterprise. That approach shifts remediation away from abstract severity scoring and toward observed attacker behavior, which is often a far better predictor of imminent harm.
The April 20 update fits a pattern that has become increasingly common. CISA tends to add vulnerabilities in clusters, and those clusters often reflect broad attacker interest in a specific attack surface: email, identity, remote management, or internet-facing admin tools. In this case, the list includes PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra, and multiple Cisco Catalyst SD-WAN Manager issues. Each of those platforms can sit in a privileged position inside an organization, which is precisely why they are attractive to attackers.
A notable aspect of this catalog entry is the age spread. One item dates back to CVE-2023-27351, while others are marked with 2024, 2025, and even 2026 identifiers. That variety underscores a hard truth: exploitation often outlives the initial disclosure cycle by months or years. In practice, attackers keep returning to vulnerabilities that continue to succeed against organizations that have not fully remediated, virtualized away, or isolated the affected products.
The KEV Catalog’s power comes from its simplicity, but that same simplicity creates pressure. Once a vulnerability is added, defenders are expected to act quickly, often before they have perfect internal visibility. For federal civilian agencies, the directive is formal. For everyone else, the implication is operational: treat KEV entries as emergency backlog items, not routine patch queue additions.

The Eight Vulnerabilities at a Glance​

The headline is not just that CISA added eight vulnerabilities. It is that the catalog update touches a diverse set of enterprise control points. PaperCut NG/MF is common in print infrastructures that few organizations think about until something breaks. TeamCity sits in software delivery pipelines where compromise can become a supply-chain problem. Zimbra supports email and collaboration, making it a high-value communications target. And Cisco Catalyst SD-WAN Manager is the kind of network-management layer that, if compromised, can give attackers broad operational leverage.
These are not consumer bugs. They are enterprise footholds, and in many cases they are privileged footholds. That is why KEV additions often cause a disproportionate amount of urgency compared with their raw CVSS scores. A moderately scored issue on a device that can expose passwords, policy data, or administrative controls can be more dangerous than a higher-scoring flaw in a low-value application.

What Was Added​

The eight CVEs named in the alert are:

• CVE-2023-27351 — PaperCut NG/MF improper authentication vulnerability.
• CVE-2024-27199 — JetBrains TeamCity relative path traversal vulnerability.
• CVE-2025-2749 — Kentico Xperience path traversal vulnerability.
• CVE-2025-32975 — Quest KACE Systems Management Appliance improper authentication vulnerability.
• CVE-2025-48700 — Synacor Zimbra Collaboration Suite cross-site scripting vulnerability.
• CVE-2026-20122 — Cisco Catalyst SD-WAN Manager incorrect use of privileged APIs vulnerability.
• CVE-2026-20128 — Cisco Catalyst SD-WAN Manager storing passwords in a recoverable format vulnerability.
• CVE-2026-20133 — Cisco Catalyst SD-WAN Manager exposure of sensitive information to an unauthorized actor vulnerability.

The key pattern is clear: most of these issues are either authentication failures, traversal flaws, or information disclosure problems. Those categories routinely show up in real-world intrusion chains because they are straightforward to weaponize and often affect systems that sit close to the crown jewels. CISA’s repeated emphasis on active exploitation makes the practical priority even sharper.

Why CISA Keeps Returning to Enterprise Management Tools​

A recurring theme in KEV updates is that attackers love management software. Tools like TeamCity, KACE SMA, and Catalyst SD-WAN Manager are designed to centralize control, which means a single successful compromise can have outsized impact. That concentration of privilege is efficient for defenders, but it is even more efficient for attackers.
The reason is simple: administrative platforms often have broad network visibility, high trust, and access to secrets. When a flaw allows traversal, unauthenticated access, or recoverable credential storage, the attacker may not need to chain multiple vulnerabilities. One working exploit can be enough to enumerate systems, dump configuration, or pivot deeper into the environment. That is exactly the sort of shortcut adversaries prefer.

The Management-Plane Problem​

Management-plane compromise is more dangerous than ordinary application compromise because it changes the defender’s assumptions. Once an attacker enters an admin console or orchestration system, they can often act as a legitimate operator. That can mean deploying malicious packages, changing access policies, harvesting credentials, or silently altering configuration for persistence.

• Management software is usually trusted by many internal systems.
• Authentication controls are often designed for convenience as much as security.
• Administrative interfaces are frequently exposed to wide internal networks.
• Logging may exist, but alerting often lags behind attacker speed.

CISA’s catalog choices are a reminder that the most boring software in the rack can be the most dangerous to leave unpatched. The systems that automate work can also automate compromise.

PaperCut, TeamCity, and the Long Tail of Exploitation​

The inclusion of PaperCut NG/MF and JetBrains TeamCity is especially important because these are not obscure niche products. PaperCut is widely deployed in print environments, and TeamCity is deeply embedded in build and release pipelines. When these platforms are exploited, the damage can extend far beyond the application itself.
PaperCut has been a repeated target in past years, and that history matters because defenders often assume that a product already exposed once is now “handled.” In reality, attackers return to products that continue to have broad deployment and slow patch cycles. TeamCity is similarly attractive because compromise can potentially expose build artifacts, source code, credentials, and pipeline logic. In modern software environments, that is not just an IT issue; it is a development integrity issue.

Supply Chain and Credential Risk​

A compromised CI/CD platform is a force multiplier. Build systems often hold signing material, deployment tokens, registry credentials, and access paths to staging and production. If an attacker can traverse paths or abuse authentication controls, the impact may include code tampering or secret extraction, not just local system access.

• Build servers are high-trust targets.
• Admin credentials in CI/CD systems can open downstream environments.
• Exploitation may be silent until code quality or release integrity is affected.
• The blast radius can include customer-facing applications.

The broader lesson is that software factories are now part of core infrastructure. That means KEV entries affecting them deserve the same urgency as internet-facing perimeter systems.

Zimbra, Kentico, and Web Application Exposure​

Synacor Zimbra Collaboration Suite and Kentico Xperience represent a different but equally familiar risk class: web-facing collaboration and content systems. These platforms are often attractive because they are exposed to users, admins, and outside traffic at the same time. That blend of accessibility and privilege makes them vulnerable to abuse when authentication, path handling, or content controls are weak.
The Zimbra entry in particular reinforces a long-running problem with collaboration suites: they are both communication hubs and identity-adjacent systems. If an attacker can leverage cross-site scripting or related flaws, the result may be session theft, malicious actions in an authenticated browser context, or lateral movement into other connected services. Even “only” XSS can be serious when it lands in a trusted enterprise app.

Why Path Traversal Still Matters​

Path traversal sounds old-fashioned, but it remains a common and dangerous bug class. When a web application fails to properly constrain file paths, an attacker may retrieve sensitive files, influence application behavior, or bypass controls intended to keep them inside a safe directory. In a CMS or collaboration stack, that can mean configuration exposure, credential leakage, or the first step toward deeper compromise.

• Traversal bugs often expose configuration secrets.
• CMS platforms can become stepping stones into broader web infrastructure.
• User-facing apps are often difficult to fully isolate from business workflows.
• Attackers often combine traversal with weak authentication or session theft.

The significance here is not the label of the flaw, but the environment in which it appears. A path traversal issue in a public-facing content platform can quickly become a data exposure event.

Cisco Catalyst SD-WAN Manager: Why the 2026 Issues Matter​

The three Cisco Catalyst SD-WAN Manager vulnerabilities stand out because they affect the control plane of modern network operations. Incorrect use of privileged APIs, recoverable password storage, and exposure of sensitive information all point to the same core concern: if the management layer is compromised, network trust can unravel quickly. Cisco network management systems are especially sensitive because they often connect to distributed infrastructure across branches, campuses, and remote sites.
These issues are also notable because they reflect the kinds of flaws defenders hate most: ones that expose secrets or permit access to information needed for further compromise. A password stored in a recoverable format is not just a confidentiality issue; it can become an authentication bypass, a pivot point, or a privilege escalation path. An API misuse problem in a privileged management system can open the door to administrative actions that were never supposed to be externally reachable.

Operational Impact for Network Teams​

For network operators, the practical risk is not abstract. A compromised SD-WAN manager can undermine segmentation, route trust, policy enforcement, and centralized visibility. If an attacker gets in, they may be able to alter settings, harvest credentials, or quietly map network topology.

• SD-WAN managers sit near the center of enterprise connectivity.
• Stored secrets in recoverable form can become durable attacker assets.
• Sensitive-information exposure can support follow-on exploitation.
• Privileged API mistakes often lead to broader administrative abuse.

In other words, these are not just bugs in a dashboard. They are bugs in the machinery that governs how the network itself behaves.

How KEV Drives Federal and Enterprise Prioritization​

The most important thing about KEV is not the list itself; it is the change in decision-making it forces. Security teams often have dozens or hundreds of high-severity vulnerabilities to consider, and many of them will never be exploited in their environment. KEV cuts through that uncertainty by highlighting issues with demonstrated abuse in the wild. That makes it a strong prioritization layer on top of ordinary scanning and scoring.
For federal civilian executive branch agencies, the mandate is direct: remediate KEV items by the due date under BOD 22-01. For private-sector organizations, the directive is advisory rather than compulsory, but the operational logic is identical. If an actively exploited issue is in your environment, it should jump ahead of almost everything else unless there is a compelling business reason not to.

Practical Prioritization Model​

A useful workflow is to treat KEV as a fast triage filter and then layer in asset criticality. That means the same vulnerability can be urgent on one host and lower priority on another, depending on exposure and function. The goal is not to patch everything immediately; it is to patch the things attackers are most likely to use today.

• Identify whether the affected product exists in the environment.
• Determine whether it is internet-facing, externally reachable, or heavily trusted internally.
• Check whether compensating controls exist, such as segmentation or access restrictions.
• Validate the vendor’s fixed versions and any required configuration changes.
• Patch, isolate, or disable vulnerable services as quickly as possible.
• Verify remediation with scanning, logs, and configuration review.

That process sounds basic, but basic discipline is what stops basic exploitation. Many breaches persist because organizations fail at the inventory step, not the patch step.

What This Means for Security Teams​

Security teams should read this update as another example of why exploit intelligence matters more than theoretical risk. A vulnerability can be old, obscure, or low-scoring and still be devastating if criminals are actively using it. CISA’s KEV catalog is essentially a public scoreboard for that reality.
For defenders, this update should trigger more than patch tickets. It should also prompt asset discovery, exposure review, and confirmation that the affected systems are not silently sitting behind old exceptions. The presence of PaperCut, TeamCity, KACE, Zimbra, and Cisco SD-WAN in one catalog update suggests a broad need to inspect the “supporting cast” of enterprise infrastructure, not just the public web stack.

Enterprise vs. Consumer Impact​

The consumer angle here is limited, because these are overwhelmingly business and government products. But the downstream effect can still reach employees and customers if any of these systems are used to process email, print jobs, software builds, or network access. That means the impact can ripple outward from a small admin niche into broader business continuity.

• Enterprise exposure is the primary concern.
• Consumer impact is usually indirect, through service disruption or data leakage.
• Remote workers may be affected if management systems are used in hybrid environments.
• Partners and contractors can inherit risk when shared systems are compromised.

The biggest mistake organizations make is assuming that only perimeter-facing systems matter. In reality, the internal systems that run identity, builds, and network management are often more valuable.

Strengths and Opportunities​

The most encouraging aspect of KEV is that it gives defenders a concrete and defensible action list. It helps security teams explain urgency to leadership without relying on abstract threat modeling, and it aligns remediation with known attacker behavior. It also creates a shared language between operations, security, and audit teams, which is not always easy to achieve.

• Actionable prioritization based on observed exploitation.
• Clear support for federal remediation deadlines.
• Better alignment between vulnerability management and real-world risk.
• Stronger executive buy-in for emergency patching.
• Improved focus on internet-facing and high-trust systems.
• Useful benchmark for third-party and supply-chain risk reviews.
• Encourages faster asset inventory and exposure discovery.

Risks and Concerns​

The KEV model is powerful, but it is not a silver bullet. Organizations can become overly dependent on catalog status and miss high-risk vulnerabilities that have not yet been publicly confirmed as exploited. There is also the operational risk that patching pressure could lead to rushed changes, outages, or incomplete validation if teams treat every KEV entry as a same-day fire drill.

• Unknown exposure remains a major problem.
• Patch fatigue can lead to poor prioritization elsewhere.
• Emergency remediation can create configuration drift.
• Older systems may not have easy update paths.
• Visibility gaps can hide affected instances across subsidiaries.
• Overreliance on KEV may obscure emerging zero-day risk.
• Some products may require compensating controls, not just patches.

There is also a strategic concern: attackers know defenders watch KEV closely, so they may increasingly shift to adjacent flaws or chain multiple weaknesses in the same product family. That makes inventory and segmentation just as important as patching. If defenders only chase the catalog, they may still miss the larger attack path.

Looking Ahead​

CISA will likely continue to update KEV aggressively because that is the point of the program: to convert external exploitation signals into operational urgency. The more organizations integrate KEV into patch management, the less likely a known exploited flaw will linger in production. But the catalog’s usefulness will depend on whether enterprises can move faster on discovery, ownership, and remediation than they have historically managed to do.
The next wave of defensive maturity will probably come from automation, better asset mapping, and tighter integration between vulnerability management and configuration control. Organizations that can rapidly identify where a KEV-listed product exists, whether it is exposed, and who owns it will respond much better than those that still rely on manual spreadsheets. The technical challenge is solvable; the governance challenge is harder.

• Verify whether any PaperCut, TeamCity, Kentico, KACE, Zimbra, or Cisco SD-WAN instances remain active.
• Prioritize internet-facing and high-trust management systems first.
• Confirm fixed versions and vendor-specific remediation steps.
• Review logs for suspicious access, traversal attempts, or authentication anomalies.
• Check for credential exposure in management platforms and configuration backups.

The broader takeaway from this KEV update is that exploitation remains stubbornly practical. Attackers do not need exotic zero-days when widely deployed enterprise software still leaves enough room for known flaws to succeed. CISA’s catalog is a useful warning system, but its real value depends on whether organizations treat it as a standing operational requirement rather than just another alert in a crowded inbox.

---

Source: CISA CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA