The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known and Exploited Vulnerabilities (KEV) catalog, including three flaws affecting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation.
Here is the list of vulnerabilities:
CVE-2023-27351 (CVSS Score: 8.2) – An improper authentication vulnerability in PaperCut NG/MF could allow an attacker to bypass authentication on an affected installation via the SecurityRequestFilter class. CVE-2024-27199 (CVSS score: 7.3) – Relative path traversal vulnerability in JetBrains TeamCity could allow an attacker to perform limited administrative actions. CVE-2025-2749 (CVSS Score: 7.2) – Path traversal vulnerability in Kentico Xperience could allow an authenticated user’s staging sync server to upload arbitrary data to a relative location in the path. CVE-2025-32975 (CVSS Score: 10.0) – An improper authentication vulnerability in the Quest KACE Systems Management Appliance (SMA) could allow an attacker to impersonate a legitimate user without valid credentials. CVE-2025-48700 (CVSS Score: 6.1) – Cross-site scripting vulnerability in Synacor Zimbra Collaboration Suite (ZCS) could allow an attacker to execute arbitrary JavaScript within a user’s session and gain unauthorized access to sensitive information. CVE-2026-20122 (CVSS Score: 5.4) – An incorrect use of a vulnerability in the privileged API of Cisco Catalyst SD-WAN Manager could allow an attacker to upload and overwrite arbitrary files on an affected system and gain vmanage user privileges. CVE-2026-20128 (CVSS Score: 7.5) – A recoverable password storage vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges by accessing the DCA user credentials file on the file system as a low-privileged user. CVE-2026-20133 (CVSS Score: 6.5) – An unauthorized actor vulnerability in Cisco Catalyst SD-WAN Manager could lead to sensitive information disclosure and allow a remote attacker to view sensitive information on an affected system.
It is worth noting that CISA added CVE-2024-27198, another flaw affecting on-premises versions of JetBrains TeamCity, to the KEV catalog in March 2024. It is currently unclear whether both vulnerabilities are being exploited together and whether the activity is the work of the same threat actor.
Meanwhile, the CVE-2023-27351 exploit is believed to have been launched by Race Tempest in April 2023 in conjunction with attacks delivering the Cl0p and LockBit ransomware families.
Regarding CVE-2025-32975, Arctic Wolf said late last month that it observed unknown attackers weaponizing this bug to target unpatched SMA systems, but the exact end goal of the campaign was unknown.
Cisco also said it became aware of the CVE-2026-20122 and CVE-2026-20128 exploits in March 2026. The company has not yet revised its advisory to reflect the exploitation of CVE-2026-20133 in the wild.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to address three Cisco vulnerabilities by April 23, 2026, and the remaining vulnerabilities by May 4, 2026.
Source link
