CISA Expands KEV Catalog with 8 Actively Exploited Vulnerabilities Targeting Cisco, Zimbra, and TeamCity
The Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog, identifying eight new security flaws that are currently being exploited in real-world attacks. This update, announced on April 21, 2026, underscores the urgency for organizations to address these vulnerabilities to safeguard their systems against potential threats.
CISA’s latest update introduces vulnerabilities affecting a variety of products and vendors. Among the most critical entries are CVE-2023-27351 and CVE-2024-27199, both of which have garnered significant attention due to their active exploitation and the potential risks they pose to enterprise environments.
Latest Vulnerabilities Added to the KEV Catalog
The vulnerabilities added to the KEV catalog include:
-
CVE-2023-27351 (CVSS 8.2): An improper authentication flaw in PaperCut NG/MF, allowing attackers to bypass authentication mechanisms through the SecurityRequestFilter class.
-
CVE-2024-27199 (CVSS 7.3): A relative path traversal vulnerability in JetBrains TeamCity that could enable attackers to perform limited administrative actions.
-
CVE-2025-2749 (CVSS 7.2): A path traversal flaw in Kentico Xperience, permitting authenticated users to upload arbitrary data to specific paths via the Staging Sync Server.
-
CVE-2025-32975 (CVSS 10.0): A critical improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA), which allows attackers to impersonate legitimate users without credentials.
-
CVE-2025-48700 (CVSS 6.1): A cross-site scripting (XSS) issue in Zimbra Collaboration Suite that enables execution of arbitrary JavaScript within a user session.
-
CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133: Three distinct vulnerabilities affecting Cisco Catalyst SD-WAN Manager, ranging from privilege escalation to exposure of sensitive information.
Cisco Catalyst Vulnerabilities Under Active Exploitation
Three of the newly identified vulnerabilities specifically target Cisco Catalyst SD-WAN Manager, raising significant concerns regarding enterprise networking infrastructure security. These vulnerabilities include:
-
CVE-2026-20122 (CVSS 5.4): Improper use of privileged APIs, allowing attackers to upload or overwrite arbitrary files and gain elevated privileges.
-
CVE-2026-20128 (CVSS 7.5): Storage of passwords in a recoverable format, enabling local attackers to extract credentials and escalate access.
-
CVE-2026-20133 (CVSS 6.5): Exposure of sensitive information to unauthorized actors, potentially allowing remote attackers to access confidential system data.
Continued Concerns Around CVE-2023-27351 and CVE-2024-27199
The inclusion of CVE-2023-27351 in the KEV catalog is particularly noteworthy due to its historical context. In April 2023, this vulnerability was linked to the Lace Tempest threat group, which exploited it to deploy Cl0p and LockBit ransomware. Its ongoing presence in active exploitation campaigns indicates that unpatched systems remain vulnerable.
Similarly, CVE-2024-27199 follows an earlier related vulnerability, CVE-2024-27198, which was added to the KEV catalog in March 2024. Both vulnerabilities affect JetBrains TeamCity, but it remains unclear whether they are being exploited in tandem or by the same threat actors.
Zimbra Collaboration Suite Vulnerability Raises High-Risk Alert
Another critical addition to the KEV catalog is CVE-2025-48700, which affects Zimbra Collaboration Suite. This vulnerability enables cross-site scripting attacks that can lead to unauthorized access to sensitive information. Security assessments classify this issue as a high risk, especially since it is already being exploited in the wild.
Impact and Affected Versions
The vulnerabilities impact multiple versions of Zimbra Collaboration Suite, including:
- Versions prior to 9.0.0 Patch 43
- Versions prior to 10.0.12
- Versions prior to 10.1.4
- Versions prior to 8.8.15 Patch 47
Attackers exploiting CVE-2025-48700 can inject malicious JavaScript into user sessions, potentially compromising sensitive data and enabling further attacks.
Mitigation Measures
To address these vulnerabilities, users are advised to apply vendor-released patches for the affected versions:
- Version 9.0.0 Patch 43
- Version 10.0.12
- Version 10.1.4
- Version 8.8.15 Patch 47
CISA recommends that organizations prioritize remediation efforts in line with KEV catalog guidance, particularly for vulnerabilities with confirmed exploitation activity.
Federal Deadlines and Broader Implications
With the addition of these vulnerabilities to the KEV catalog, CISA has also established remediation deadlines for federal agencies, spanning April to May 2026. These deadlines are part of Binding Operational Directive (BOD) requirements, mandating timely patching of known exploited vulnerabilities.
The continued expansion of the KEV catalog, including high-profile entries like CVE-2023-27351, CVE-2024-27199, and Cisco Catalyst-related flaws, reflects a shifting threat landscape where attackers rapidly weaponize newly discovered weaknesses. Organizations beyond the federal sector are encouraged to treat the KEV catalog as a priority reference for vulnerability management and risk mitigation.
Source: thecyberexpress.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
