The U.S. Cybersecurity and Infrastructure Security Agency has expanded its Known Exploited Vulnerabilities catalog by adding eight newly identified security flaws, highlighting ongoing risks across widely used enterprise technologies. The update includes three vulnerabilities affecting Cisco Catalyst SD WAN Manager, with evidence confirming active exploitation in real world environments. The agency has issued strict remediation timelines for Federal Civilian Executive Branch agencies, directing them to address Cisco related vulnerabilities by April 23, 2026, and the remaining flaws by May 4, 2026.
The newly added vulnerabilities span multiple vendors and software platforms, reflecting a broad attack surface being targeted by threat actors. Among them is CVE 2023 27351, an authentication bypass flaw in PaperCut NG and MF that allows attackers to circumvent login protections through the SecurityRequestFilter class. Another issue, CVE 2024 27199, affects JetBrains TeamCity and enables limited administrative actions through a relative path traversal weakness. Similarly, CVE 2025 2749 in Kentico Xperience allows authenticated users to upload arbitrary data to unintended locations by exploiting a path traversal vulnerability in the staging synchronization server. A more severe flaw, CVE 2025 32975, impacts Quest KACE Systems Management Appliance and carries a maximum severity score, enabling attackers to impersonate legitimate users without valid credentials.
Additional vulnerabilities include CVE 2025 48700 in Synacor Zimbra Collaboration Suite, which involves a cross site scripting issue that can be used to execute malicious JavaScript within a user session and potentially access sensitive information. The three Cisco Catalyst SD WAN Manager flaws also introduce notable risks. CVE 2026 20122 allows attackers to overwrite arbitrary files and gain elevated privileges due to improper use of privileged APIs. CVE 2026 20128 exposes credentials stored in a recoverable format, enabling low privileged users to escalate access. CVE 2026 20133 involves unauthorized exposure of sensitive information, potentially allowing remote attackers to view confidential system data.
Security researchers and organizations have linked some of these vulnerabilities to active threat campaigns. The exploitation of the PaperCut flaw was previously attributed to Lace Tempest, which used it to deploy Cl0p and LockBit ransomware variants. Meanwhile, Arctic Wolf reported that threat actors have been targeting unpatched Quest KACE SMA systems using CVE 2025 32975 as recently as March 2026, although the precise objectives behind these attacks remain unclear. Cisco has also acknowledged exploitation of two of its vulnerabilities earlier this year, though it has not yet updated its advisory regarding the third issue.
The inclusion of these vulnerabilities in the KEV catalog signals an urgent need for organizations to prioritize patching and mitigation efforts. The catalog serves as a critical resource for identifying vulnerabilities that are actively exploited, helping organizations focus on high risk exposures. With federal agencies now working under defined deadlines, the broader cybersecurity community is expected to follow closely, particularly given the diversity of affected systems and the continued trend of attackers leveraging known weaknesses to gain initial access and escalate privileges within enterprise environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
