CISA Adds 8 Exploited Flaws to KEV, Cisco SD-WAN Deadline Tomorrow

CISA added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on April 20, citing evidence of active exploitation. Three of the flaws affect Cisco Catalyst SD-WAN Manager and carry an April 23 deadline for federal agencies—tomorrow.

The CISA alert includes a mix of new and older vulnerabilities across enterprise software, from authentication bypasses to path traversal flaws. The aggressive deadline for the Cisco vulnerabilities signals that exploitation is ongoing and poses immediate risk to federal networks.

The Eight Vulnerabilities

CVE	Product	Type	CVSS	Deadline
CVE-2026-20122	Cisco Catalyst SD-WAN Manager	Privileged API misuse	5.4	April 23, 2026
CVE-2026-20128	Cisco Catalyst SD-WAN Manager	Password storage flaw	7.5	April 23, 2026
CVE-2026-20133	Cisco Catalyst SD-WAN Manager	Information disclosure	6.5	April 23, 2026
CVE-2025-32975	Quest KACE SMA	Improper authentication	10.0	May 4, 2026
CVE-2023-27351	PaperCut NG/MF	Authentication bypass	8.2	May 4, 2026
CVE-2024-27199	JetBrains TeamCity	Path traversal	7.3	May 4, 2026
CVE-2025-2749	Kentico Xperience	Path traversal	7.2	May 4, 2026
CVE-2025-48700	Synacor Zimbra ZCS	Cross-site scripting	6.1	May 4, 2026

Cisco SD-WAN Manager Under Active Attack

The three Cisco Catalyst SD-WAN Manager vulnerabilities, while individually rated medium to high severity, create a dangerous combination when chained together. The password storage vulnerability (CVE-2026-20128) could expose credentials that enable exploitation of the privileged API misuse flaw (CVE-2026-20122), while the information disclosure bug (CVE-2026-20133) aids reconnaissance.

SD-WAN infrastructure is a high-value target for attackers. Compromising the management plane can provide visibility into and control over an organization's entire wide-area network. This follows a pattern we've seen with Cisco ISE vulnerabilities that attackers have been exploiting in recent weeks.

Quest KACE Perfect 10

The Quest KACE Systems Management Appliance vulnerability stands out with its maximum CVSS score of 10.0. CVE-2025-32975 allows unauthenticated attackers to bypass authentication entirely, gaining administrative access to the appliance. KACE manages software deployment, patch management, and system inventory across enterprise environments—administrative access means control over thousands of endpoints.

Organizations using Quest KACE should treat this as a top priority even though the deadline is May 4.

Legacy Flaws Still Being Exploited

Two vulnerabilities in this batch date back to 2023 and 2024, demonstrating that attackers continue exploiting older flaws:

PaperCut NG/MF (CVE-2023-27351): This authentication bypass was disclosed nearly three years ago. PaperCut print management software is deployed in schools, universities, and enterprises worldwide. The continued exploitation suggests many organizations haven't patched—or worse, haven't inventoried their PaperCut installations.

JetBrains TeamCity (CVE-2024-27199): The path traversal flaw in TeamCity CI/CD servers has been a known target since 2024. We covered CISA's earlier TeamCity advisories as threat actors continue targeting software supply chain infrastructure.

Federal and Private Sector Action

Under Binding Operational Directive 22-01, federal civilian agencies must remediate KEV vulnerabilities by CISA's deadlines. But the catalog serves as a priority list for any organization—these aren't theoretical risks but confirmed active exploits.

The April 23 deadline for Cisco SD-WAN Manager gives federal agencies essentially one day to patch or implement mitigations. For private organizations, the message is the same: if you're running affected versions, patch immediately.

Check CISA's KEV catalog for the full list of actively exploited vulnerabilities requiring immediate attention.