Skip to content
.ca
sign in
3 minhigh

CISA Adds Eight Known Exploited Vulnerabilities to Catalog

CISA has added eight actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, affecting various enterprise software including PaperCut, JetBrains TeamCity, Zimbra, and Cisco Catalyst SD-WAN Manager. Organizations are strongly urged to prioritize remediation of these flaws to reduce exposure to cyberattacks.

Sens:ImmediateConf:highAnalyzed:2026-04-21reports

Authors: CISA

VulnerabilityActive ExploitationCISAKEV

Source:CISA

Key Takeaways

  • CISA added 8 new vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
  • Affected products include PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra ZCS, and Cisco Catalyst SD-WAN Manager.
  • Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities per BOD 22-01.
  • All organizations are strongly urged to prioritize patching these vulnerabilities to reduce cyberattack exposure.

Affected Systems

  • PaperCut NG/MF
  • JetBrains TeamCity
  • Kentico Xperience
  • Quest KACE Systems Management Appliance (SMA)
  • Synacor Zimbra Collaboration Suite (ZCS)
  • Cisco Catalyst SD-WAN Manager

Vulnerabilities (CVEs)

  • CVE-2023-27351
  • CVE-2024-27199
  • CVE-2025-2749
  • CVE-2025-32975
  • CVE-2025-48700
  • CVE-2026-20122
  • CVE-2026-20128
  • CVE-2026-20133

Attack Chain

The article does not detail a specific attack chain, but notes that malicious cyber actors are actively exploiting these eight vulnerabilities in the wild to compromise vulnerable enterprise systems and public-facing applications.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the alert.

Detection Engineering Assessment

EDR Visibility: Low — The alert only lists CVEs without detailing specific post-exploitation behaviors, payloads, or processes that EDR would typically detect. Network Visibility: Medium — Network sensors (IDS/IPS) and WAFs may have existing signatures for the specific CVEs listed (e.g., path traversal, XSS, authentication bypass attempts). Detection Difficulty: Moderate — Detecting exploitation requires specific vulnerability signatures or monitoring for anomalous post-exploitation activity on the affected applications.

Required Log Sources

  • Web Application Firewall (WAF) logs
  • Web server access logs
  • Network IDS/IPS logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for anomalous authentication bypass or path traversal attempts targeting web-facing applications like PaperCut, TeamCity, or Zimbra.WAF logs, Web server access logsInitial AccessMedium

Control Gaps

  • Unpatched public-facing applications
  • Lack of network segmentation for management interfaces

Key Behavioral Indicators

  • Anomalous access patterns to sensitive URIs
  • Unexpected child processes spawned by web application services

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Apply vendor-supplied patches for the eight listed CVEs immediately.
  • Isolate vulnerable systems from the internet if patching is not immediately possible.

Infrastructure Hardening

  • Implement Web Application Firewalls (WAF) to filter malicious requests targeting known vulnerabilities.
  • Restrict access to management interfaces (e.g., Cisco Catalyst SD-WAN Manager, Quest KACE SMA) to trusted IP ranges or internal networks.

User Protection

  • Enforce Multi-Factor Authentication (MFA) on all externally facing services.

Security Awareness

  • Ensure vulnerability management teams are subscribed to CISA KEV updates and prioritize remediation based on active exploitation.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application

Related