The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation.
The list of vulnerabilities is as follows -
- CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut NG/MF that could allow an attacker to bypass authentication on affected installations via the SecurityRequestFilter class.
- CVE-2024-27199 (CVSS score: 7.3) - A relative path traversal vulnerability in JetBrains TeamCity that could allow an attacker to perform limited admin actions.
- CVE-2025-2749 (CVSS score: 7.2) - A path traversal vulnerability in Kentico Xperience that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.
- CVE-2025-32975 (CVSS score: 10.0) - An improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA) that could allow an attacker to impersonate legitimate users without valid credentials.
- CVE-2025-48700 (CVSS score: 6.1) - A cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow an attacker to execute arbitrary JavaScript within the user's session, resulting in unauthorized access to sensitive information.
- CVE-2026-20122 (CVSS score: 5.4) - An incorrect use of privileged APIs vulnerability in Cisco Catalyst SD-WAN Manager that could allow an attacker to upload and overwrite arbitrary files on the affected system and gain vmanage user privileges.
- CVE-2026-20128 (CVSS score: 7.5) - A storing passwords in a recoverable format vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.
- CVE-2026-20133 (CVSS score: 6.5) - An exposure of sensitive information to an unauthorized actor vulnerability in Cisco Catalyst SD-WAN Manager that could allow remote attackers to view sensitive information on affected systems.
It's worth noting that CISA added CVE-2024-27198, another flaw impacting on-premise versions of JetBrains TeamCity, to the KEV catalog in March 2024. It's not known at this stage if both vulnerabilities are being exploited together and if the activity is the work of the same threat actor.
The exploitation of CVE-2023-27351, on the other hand, was attributed to Lace Tempest in April 2023 in connection with attacks delivering Cl0p and LockBit ransomware families.
As for CVE-2025-32975, Arctic Wolf said it observed unknown threat actors weaponizing the bug to target unpatched SMA systems as late last month, although the exact end goals of the campaign remain unknown.
According to the Computer Emergency Response Team of Ukraine (CERT-UA), a threat actor known as UAC-0233 has exploited two vulnerabilities in ZCS (CVE-2025-48700 and CVE-2025-66376) in attacks aimed at Ukrainian entities since September 2025, allowing it to execute arbitrary code without requiring any user interaction. CVE-2025-66376 was added to the CISA KEV catalog in mid-March 2026.
"Upon successful compromise, the attackers gained access to mailbox contents, including correspondence compiled into a TGZ archive, multi-factor authentication backup codes, application passwords, and the global address book," CERT-UA noted in its H2 2025 report published earlier this month. "This activity is tracked under identifier UAC-0250."
Cisco, for its part, also said it became aware of the exploitation of CVE-2026-20122 and CVE-2026-20128 in March 2026. The company has yet to revise its advisory to reflect the in-the-wild abuse of CVE-2026-20133.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been recommended to address the three Cisco vulnerabilities by April 23, 2026, and the rest by May 4, 2026.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.