On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog by including eight new vulnerabilities. Among these, three flaws affecting the Cisco Catalyst SD-WAN Manager were highlighted, as evidence emerged indicating active exploitation. This move underscores the escalating threat landscape faced by organizations in the digital domain.

The newly cataloged vulnerabilities are significant and varied, each with its own implications for security and system integrity:

1. CVE-2023-27351 (CVSS score: 8.2) represents an improper authentication flaw found in PaperCut NG/MF. This vulnerability can enable attackers to bypass authentication protocols in affected installations via the SecurityRequestFilter class.

2. CVE-2024-27199 (CVSS score: 7.3) highlights a relative path traversal vulnerability within JetBrains TeamCity. This weakness can potentially allow attackers to carry out limited administrative actions, thereby posing risks to the affected systems.

3. CVE-2025-2749 (CVSS score: 7.2) involves a path traversal vulnerability in Kentico Xperience. This vulnerability has the capacity to let an authenticated user’s Staging Sync Server upload arbitrary data to path-relative locations, raising concerns about data integrity and security.

4. CVE-2025-32975 (CVSS score: 10.0) is particularly worrisome as it involves an improper authentication vulnerability in the Quest KACE Systems Management Appliance (SMA). Attackers can exploit this flaw to impersonate legitimate users, circumventing credential checks entirely.

5. CVE-2025-48700 (CVSS score: 6.1) is a cross-site scripting vulnerability present in the Synacor Zimbra Collaboration Suite (ZCS). This vulnerability allows an attacker to execute arbitrary JavaScript within a user’s session, which could result in unauthorized access to sensitive information.

6. CVE-2026-20122 (CVSS score: 5.4) is another vulnerability affecting the Cisco Catalyst SD-WAN Manager. This flaw arises from the incorrect use of privileged APIs and could enable attackers to upload and overwrite arbitrary files on the affected system, thereby obtaining vManage user privileges.

7. CVE-2026-20128 (CVSS score: 7.5) indicates a critical issue regarding the storing of passwords in a recoverable format within the Cisco Catalyst SD-WAN Manager. This vulnerability allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user.

8. CVE-2026-20133 (CVSS score: 6.5) involves the exposure of sensitive information to unauthorized actors, also affecting the Cisco Catalyst SD-WAN Manager. This could enable remote attackers to view sensitive data on the compromised systems.

Of note is that CISA previously added CVE-2024-27198, another vulnerability linked to JetBrains TeamCity, to the KEV catalog in March 2024. There remains uncertainty regarding whether both vulnerabilities are exploited in tandem or if they are the result of a singular threat actor’s activities.

In April 2023, the exploitation of CVE-2023-27351 was specifically attributed to a group termed Lace Tempest, who used this flaw to implement attacks involving the Cl0p and LockBit ransomware families. Additionally, the unknown threat actors are reported to have weaponized CVE-2025-32975, as recent observations revealed exploitation targeting unpatched SMA systems, though the end goals of these campaigns are yet unclear.

Further, it has been reported by the Computer Emergency Response Team of Ukraine (CERT-UA) that a threat actor known as UAC-0233 has exploited vulnerabilities in ZCS (specifically CVE-2025-48700 and CVE-2025-66376) in a series of attacks against Ukrainian entities since September 2025. This exploitation has allowed the actor to execute arbitrary code without user interaction, raising alarms about the risk levels associated with such vulnerabilities.

The impacts are severe, with CERT-UA detailing that successful compromises provide attackers access to critical mailbox contents, including correspondence archived within TGZ files, backup codes for multi-factor authentication, application passwords, and critical data from the global address book.

Cisco has confirmed awareness of the exploitation activities tied to CVE-2026-20122 and CVE-2026-20128 since March 2026. However, it has yet to amend its advisory regarding CVE-2026-20133 to reflect its in-the-wild abuse.

Given the active exploitation of these vulnerabilities, CISA has advised Federal Civilian Executive Branch (FCEB) agencies to address the Cisco vulnerabilities by April 23, 2026, while urging action on the remaining vulnerabilities by May 4, 2026. This call to action emphasizes the need for organizations to remain vigilant and proactive in fortifying their cybersecurity measures in light of these identified vulnerabilities.

Source link