# CISA Adds Eight Actively Exploited Vulnerabilities to Critical Risk Catalog


The Cybersecurity and Infrastructure Security Agency (CISA) has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, marking them as active threats with documented evidence of real-world exploitation. The additions span enterprise print management systems, CI/CD platforms, content management platforms, systems administration tools, email collaboration suites, and SD-WAN management infrastructure—representing a diverse attack surface across organizations of all sizes.


## The Threat


CISA's KEV Catalog serves as the authoritative registry of vulnerabilities that pose the greatest risk to critical infrastructure and federal systems. The eight newly cataloged CVEs underscore a troubling trend: attackers are actively exploiting vulnerabilities across the full spectrum of enterprise infrastructure, from build pipelines to email systems to network management consoles.


The vulnerabilities fall into several categories of weakness. Three affect Cisco Catalyst SD-WAN Manager, exposing a critical control point in modern network architecture to privilege escalation, plaintext password storage, and unauthorized information disclosure. Two vulnerabilities target authentication systems—one in PaperCut's printing platform and another in Quest KACE's appliance management software—allowing attackers to bypass security controls entirely. The remaining three represent path traversal and cross-site scripting flaws in JetBrains TeamCity, Kentico Xperience, and Synacor Zimbra, each capable of granting unauthorized access to sensitive systems and data.


What makes this catalog addition particularly significant is the evidence trail: CISA does not list vulnerabilities in the KEV Catalog until there is documented proof of active exploitation in the wild. Federal agencies subject to Binding Operational Directive (BOD) 22-01 are required to remediate these vulnerabilities by CISA-set deadlines. However, the agency emphasizes that all organizations—not just federal enterprises—should treat KEV Catalog additions as critical priorities for immediate patching.


## Severity and Impact


| CVE | Product | Vulnerability Type | CWE | Status |

|-----|---------|-------------------|-----|--------|

| CVE-2023-27351 | PaperCut NG/MF | Improper Authentication | CWE-287 | Actively Exploited |

| CVE-2024-27199 | JetBrains TeamCity | Relative Path Traversal | CWE-23 | Actively Exploited |

| CVE-2025-2749 | Kentico Xperience | Path Traversal | CWE-22 | Actively Exploited |

| CVE-2025-32975 | Quest KACE SMA | Improper Authentication | CWE-287 | Actively Exploited |

| CVE-2025-48700 | Synacor Zimbra ZCS | Cross-site Scripting | CWE-79 | Actively Exploited |

| CVE-2026-20122 | Cisco Catalyst SD-WAN Manager | Incorrect Privilege API Use | CWE-275 | Actively Exploited |

| CVE-2026-20128 | Cisco Catalyst SD-WAN Manager | Plaintext Password Storage | CWE-256 | Actively Exploited |

| CVE-2026-20133 | Cisco Catalyst SD-WAN Manager | Information Disclosure | CWE-200 | Actively Exploited |


Each of these vulnerabilities represents a distinct attack vector that adversaries are currently exploiting. Authentication bypasses (CVE-2023-27351, CVE-2025-32975) grant complete unauthorized access without valid credentials. Path traversal flaws (CVE-2024-27199, CVE-2025-2749) allow attackers to navigate restricted file systems and access sensitive configuration files. The SD-WAN Manager issues collectively compromise network backbone security through improper API usage, insecure credential storage, and direct information leakage. The Zimbra XSS vulnerability enables attackers to steal sessions and compromise email accounts at scale.


## Affected Products


Print Management:

  • PaperCut NG and PaperCut MF (all versions affected by CVE-2023-27351)

    • CI/CD and Build Infrastructure:

  • JetBrains TeamCity (affected by CVE-2024-27199)

    • Content Management:

  • Kentico Xperience platform (affected by CVE-2025-2749)

    • Systems Administration and Appliances:

  • Quest KACE Systems Management Appliance (SMA) (affected by CVE-2025-32975)

    • Email and Collaboration:

  • Synacor Zimbra Collaboration Suite (ZCS) (affected by CVE-2025-48700)

    • Network Management:

  • Cisco Catalyst SD-WAN Manager (affected by CVE-2026-20122, CVE-2026-20128, CVE-2026-20133)

    • Organizations operating any of these products in production environments face immediate exploitation risk. The SD-WAN vulnerabilities are particularly concerning, as SD-WAN controllers often sit at network perimeters and manage traffic for entire organizations.


    ## Mitigations


    Immediate Actions:

    Organizations should treat these vulnerabilities as emergencies requiring same-day patching protocols. Check vendor advisories for available patches and security updates:

  • PaperCut: Apply latest NG/MF security patches
  • JetBrains: Update TeamCity to patched releases immediately
  • Kentico: Install available hotfixes for Xperience platform
  • Quest: Patch KACE SMA with latest appliance firmware
  • Synacor: Deploy Zimbra ZCS security updates
  • Cisco: Update Catalyst SD-WAN Manager to patched versions

    • Network Segmentation:

    Until patches are deployed, implement network access controls to limit exposure. Restrict administrative access to affected systems to authorized networks only. Use Web Application Firewalls (WAF) to filter malicious requests targeting known traversal and XSS attack patterns.


    Monitoring and Detection:

    Enable enhanced logging on affected systems to detect exploitation attempts. Monitor for unusual authentication failures, unexpected file access patterns, and administrative API calls. Organizations without a security information and event management (SIEM) system should implement immediate alerting for critical authentication events.


    Incident Response Readiness:

    Prepare incident response procedures for potential compromise of affected systems. If any of these vulnerabilities may have been exploited during the window before patching, conduct forensic investigation of audit logs and access records.


    ## References


  • [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities)
  • [Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](https://www.cisa.gov/binding-operational-directive-22-01)
  • PaperCut Security Advisory for CVE-2023-27351
  • JetBrains TeamCity Security Page for CVE-2024-27199
  • Kentico Security Advisory for CVE-2025-2749
  • Quest KACE Security Documentation for CVE-2025-32975
  • Synacor Zimbra Security Advisories for CVE-2025-48700
  • Cisco Security Advisory for Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133)

    • ---


    Key Takeaway: Federal agencies must remediate these vulnerabilities by CISA deadlines per BOD 22-01. However, all organizations should prioritize patching immediately—evidence of active exploitation means these are not theoretical risks. The diversity of affected products (printing, CI/CD, content management, email, networks) means most enterprises likely have at least one vulnerable system in their environment.