# CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has significantly expanded its Known Exploited Vulnerabilities (KEV) catalog this week, adding eight newly confirmed actively exploited flaws and imposing tight remediation deadlines on federal civilian agencies stretching from late April into mid-May 2026. The additions include a trio of critical vulnerabilities affecting Cisco Catalyst SD-WAN Manager, a persistent authentication weakness in PaperCut's widely deployed print management software, and several other bugs being leveraged in ongoing intrusion campaigns.


The urgency of the update reflects a pattern CISA has warned about repeatedly throughout 2026: threat actors are increasingly weaponizing vulnerabilities in network management consoles and edge infrastructure — classes of software that, when compromised, grant attackers broad visibility and lateral movement opportunities across enterprise environments.


## Background and Context


CISA's KEV catalog, established in November 2021 under Binding Operational Directive (BOD) 22-01, serves as the authoritative federal list of vulnerabilities with confirmed in-the-wild exploitation. Inclusion in the catalog triggers a mandatory remediation clock for Federal Civilian Executive Branch (FCEB) agencies, with most deadlines set at three weeks from the listing date. While the directive technically binds only federal entities, CISA has positioned the catalog as a prioritization tool for the broader critical infrastructure community, and many private-sector organizations now treat KEV additions as de facto incident-response triggers.


This week's update is notable both for its scale — eight vulnerabilities added in a single batch is higher than CISA's typical weekly cadence — and for the profile of the affected products. Cisco Catalyst SD-WAN Manager, PaperCut, and the other impacted platforms collectively sit on millions of endpoints across government, education, healthcare, and enterprise environments. Historically, management-plane vulnerabilities in SD-WAN controllers have been a favored target for nation-state operators seeking persistence and command-and-control positioning.


## Technical Details


At the top of the newly cataloged list is CVE-2023-27351, an improper authentication vulnerability in PaperCut MF/NG carrying a CVSS score of 8.2. The flaw allows a remote unauthenticated attacker to bypass authentication on the SetupCompleted page of the PaperCut server and execute arbitrary code in the context of the SYSTEM account on Windows installations. Although the vulnerability was disclosed and patched in 2023, CISA's addition this week reflects fresh telemetry showing continued exploitation against unpatched deployments — a recurring theme with print management servers, which tend to be under-monitored and infrequently updated.


The three Cisco Catalyst SD-WAN Manager vulnerabilities added alongside the PaperCut bug represent the most serious cluster in the batch. Collectively, the flaws permit:


  • Authenticated command injection in the management UI, enabling privilege escalation to root on the SD-WAN Manager appliance.
  • Information disclosure through insufficient access controls on REST API endpoints, exposing device configurations, credentials, and topology data.
  • Authorization bypass in multi-tenant deployments that allows a lower-privileged tenant to access resources belonging to other tenants on the same controller.

    • Chained together, these vulnerabilities offer a credible path from initial foothold to full compromise of the SD-WAN fabric. An attacker with controller-level access can push malicious configurations to edge routers, redirect traffic, intercept VPN tunnels, and establish persistent presence in ways that survive individual device reimaging.


    The remaining additions span a mix of end-of-life and currently supported products, including older but still widely deployed web application frameworks and content management systems. CISA has not publicly attributed the exploitation activity to named threat groups, though the timing and target selection pattern is consistent with reconnaissance and access-brokerage operations observed throughout the first quarter of 2026.


    ## Real-World Impact


    For organizations running affected products, the practical implications are substantial. SD-WAN controllers are, by design, trusted nodes with privileged visibility across geographically distributed networks. A compromised controller does not just expose one site — it exposes the entire overlay. Security teams responding to these advisories should assume, until proven otherwise, that any controller exposed to untrusted networks and not patched against the listed CVEs is a candidate for compromise.


    The PaperCut vulnerability carries a different but equally concerning profile. PaperCut servers frequently run on domain-joined Windows hosts with service accounts that possess broader permissions than their print-management role would suggest. Prior exploitation of CVE-2023-27351 and its companion flaws has been documented as an initial access vector for ransomware affiliates, including groups historically associated with Cl0p and BlackCat operations.


    FCEB agencies face hard deadlines ranging from late April 2026 through mid-May 2026 to either apply vendor-supplied patches, implement documented mitigations, or discontinue use of affected products. Agencies unable to meet the deadline must submit remediation plans and, in some cases, request formal extensions.


    ## Threat Actor Context


    While CISA's advisories typically avoid naming specific actors, threat intelligence reporting from commercial vendors has previously linked exploitation of similar SD-WAN and management-plane vulnerabilities to both financially motivated access brokers and state-aligned groups operating in the interest of the People's Republic of China and the Russian Federation. Campaigns attributed to Volt Typhoon and Salt Typhoon, in particular, have shown sustained interest in network infrastructure management layers as a means of establishing pre-positioning within U.S. critical infrastructure.


    For the PaperCut vulnerability, historical exploitation has skewed toward ransomware affiliates and initial access brokers who monetize footholds by selling them into criminal markets. The mixed threat landscape — state and criminal actors converging on the same vulnerabilities — is one reason CISA has emphasized remediation urgency rather than waiting for attribution to crystallize.


    ## Defensive Recommendations


    Security teams should treat this KEV update as a prompt to execute a focused remediation sprint:


  • Patch immediately on Cisco Catalyst SD-WAN Manager and PaperCut deployments, following vendor guidance for each CVE.
  • Restrict management-plane exposure: SD-WAN controllers and print servers should never be directly reachable from the public internet. Enforce IP allowlisting, VPN-gated access, and management-VLAN segmentation.
  • Audit authentication logs for the affected systems going back at least 90 days, focusing on anomalous administrative logins, new local accounts, and unexpected API calls.
  • Rotate credentials stored on or managed by any potentially compromised controller, including device SSH keys, API tokens, and service account passwords.
  • Review configuration history on SD-WAN controllers for unauthorized template changes, new policy objects, or modified routing rules.
  • Enable and forward telemetry from the affected systems to a SIEM with detection logic tuned for the specific exploitation techniques documented in vendor advisories.

    • Organizations that cannot patch within the CISA-recommended windows should implement compensating controls and document the risk acceptance through their formal change and risk management processes.


    ## Industry Response


    Vendor response to the KEV additions has been swift. Cisco has reiterated the availability of fixed software trains for the affected Catalyst SD-WAN Manager versions and published updated advisory bulletins. PaperCut has reminded customers of the long-available patches for CVE-2023-27351 and renewed its guidance on securing administrative interfaces.


    Industry information-sharing organizations, including the MS-ISAC and sector-specific ISACs, have begun circulating tailored advisories to their constituents. Managed security service providers report an uptick in emergency change requests from customers seeking to accelerate patching on the listed products, mirroring the response pattern seen after prior high-profile KEV additions involving network infrastructure.


    CISA, for its part, has signaled that more catalog updates are likely in the coming weeks as the agency works through a growing backlog of exploitation reports. Security leaders should plan accordingly: the KEV catalog is rapidly becoming not just a compliance instrument, but the closest thing the industry has to a real-time, authoritative feed of vulnerabilities that demand immediate attention.


    ---


    **