Pierluigi Paganini
April 21, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
Several of the listed vulnerabilities are not just theoretical weaknesses but have been actively exploited in real-world attacks, often becoming entry points for ransomware operators and state-linked actors.
The CVE-2023-27351 flaw in PaperCut NG/MF is a clear example. It was widely abused in 2023 by ransomware groups such as the Clop ransomware group and LockBit, which leveraged the improper authentication issue to gain unauthenticated access to servers, deploy payloads, and move laterally within networks.
Similarly, CVE-2024-27199 affecting JetBrains TeamCity was rapidly weaponized after disclosure. Threat actors exploited the path traversal flaw to access sensitive configuration files, extract credentials, and in some cases deploy backdoors on build servers, critical assets in software supply chains.
The CVE-2025-32975 in Quest KACE Systems Management Appliance has also been observed in opportunistic attacks, where attackers bypass authentication to gain administrative access, enabling device management abuse and potential malware deployment across managed endpoints.
On the email front, CVE-2025-48700 impacting Zimbra Collaboration Suite has been linked to exploitation campaigns delivering malicious scripts via cross-site scripting, often used to hijack sessions or steal credentials in targeted attacks.
For the more recent Cisco issues, CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128 affecting Cisco Catalyst SD-WAN Manager, public reporting so far indicates a high risk of exploitation, especially given the platform’s role in managing enterprise networks. While large-scale campaigns have not been as widely documented yet, similar Cisco management-plane flaws have historically been quickly adopted by threat actors once proof-of-concept exploits emerge.
Finally, CVE-2025-2749 in Kentico Xperience represents a classic path traversal issue. Although public evidence of widespread exploitation is still limited, such flaws are routinely abused in web attacks to access sensitive files, and they tend to be incorporated into automated scanning and exploitation frameworks shortly after disclosure.
Overall, the pattern is consistent: vulnerabilities enabling unauthenticated access, path traversal, or credential exposure are quickly operationalized. Attackers exploit them for initial access, privilege escalation, and persistence, often within days of public disclosure, highlighting the need for rapid patching and continuous monitoring.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by May 4, 2026, except Cisco Catalyst and Synacor Zimbra Collaboration Suite (ZCS) flaws, which must be addressed by April 23, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
