The Cybersecurity and Infrastructure Security Agency (CISA) have expanded its Known Exploited Vulnerabilities, commonly referred to as the KEV catalog, with eight newly identified security flaws that are currently being exploited in real-world attacks. The update was announced on April 21, 2026.
CISA’s latest update to the KEV catalog introduces eight vulnerabilities spanning a range of products and vendors. Among the most notable inclusions are CVE-2023-27351 and CVE-2024-27199, both of which have drawn attention due to their active exploitation and potential impact on enterprise environments.
Latest Vulnerabilities Added to the KEV Catalog
- CVE-2023-27351 (CVSS 8.2): An improper authentication flaw affecting PaperCut NG/MF. This issue allows attackers to bypass authentication mechanisms via the SecurityRequestFilter class.
- CVE-2024-27199 (CVSS 7.3): A relative path traversal vulnerability in JetBrains TeamCity that could enable attackers to carry out limited administrative actions.
- CVE-2025-2749 (CVSS 7.2): A path traversal flaw in Kentico Xperience, permitting authenticated users to upload arbitrary data to specific paths via the Staging Sync Server.
- CVE-2025-32975 (CVSS 10.0): A critical improper authentication vulnerability in Quest KACE Systems Management Appliance (SMA), enabling attackers to impersonate legitimate users without credentials.
- CVE-2025-48700 (CVSS 6.1): A cross-site scripting (XSS) issue in Zimbra Collaboration Suite that allows execution of arbitrary JavaScript within a user session.
- CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133: Three distinct vulnerabilities impacting Cisco Catalyst SD-WAN Manager, ranging from privilege escalation to exposure of sensitive information.
Cisco Catalyst Vulnerabilities Under Active Exploitation
Three of the eight newly listed flaws affect Cisco Catalyst SD-WAN Manager, denoting concerns around enterprise networking infrastructure security. These vulnerabilities include:
- CVE-2026-20122 (CVSS 5.4): Improper use of privileged APIs, allowing attackers to upload or overwrite arbitrary files and gain elevated privileges.
- CVE-2026-20128 (CVSS 7.5): Storage of passwords in a recoverable format, enabling local attackers to extract credentials and escalate access.
- CVE-2026-20133 (CVSS 6.5): Exposure of sensitive information to unauthorized actors, potentially allowing remote attackers to access confidential system data.
Continued Concerns Around CVE-2023-27351 and CVE-2024-27199
The inclusion of CVE-2023-27351 in the KEV catalog is particularly significant given its history. In April 2023, exploitation of this vulnerability was linked to the Lace Tempest threat group, which used it to deploy Cl0p and LockBit ransomware. Its continued presence in active exploitation campaigns indicates that unpatched systems remain a viable target.
Similarly, CVE-2024-27199 follows an earlier related vulnerability, CVE-2024-27198, which was added to the KEV catalog in March 2024. While both affect JetBrains TeamCity, it remains unclear whether they are being exploited in tandem or by the same threat actors.
Zimbra Collaboration Suite Vulnerability Raises High-Risk Alert
Another critical addition to the KEV catalog is CVE-2025-48700, affecting Zimbra Collaboration Suite. This vulnerability enables cross-site scripting attacks that can lead to unauthorized access to sensitive information. Security assessments classify this issue as High Risk, especially since it is already being exploited in the wild.
Impact and Affected Versions
The vulnerability impacts multiple versions of Zimbra Collaboration Suite, including:
- Versions prior to 9.0.0 Patch 43
- Versions prior to 10.0.12
- Versions prior to 10.1.4
- Versions prior to 8.8.15 Patch 47
Attackers exploiting CVE-2025-48700 can inject malicious JavaScript into user sessions, potentially compromising sensitive data and enabling further attacks.
Mitigation Measures
To address this issue, users are advised to apply vendor-released patches:
- Version 9.0.0 Patch 43
- Version 10.0.12
- Version 10.1.4
- Version 8.8.15 Patch 47
CISA recommends that organizations prioritize remediation efforts in line with KEV catalog guidance, especially vulnerabilities with confirmed exploitation activity.
Federal Deadlines and Broader Implications
With the addition of these vulnerabilities to the KEV catalog, CISA has also set remediation deadlines for federal agencies, spanning April to May 2026. These deadlines are part of Binding Operational Directive (BOD) requirements, which mandate timely patching of known exploited vulnerabilities.
The continued expansion of the KEV catalog, including high-profile entries like CVE-2023-27351, CVE-2024-27199, and Cisco Catalyst-related flaws, reflects a new threat landscape where attackers rapidly weaponize newly discovered weaknesses. Organizations beyond the federal sector are also encouraged to treat the KEV catalog as a priority reference for vulnerability management and risk mitigation.
