CISA Mandates Action on Eight Exploited Vulnerabilities
CISA Mandates Action on Eight Exploited Vulnerabilities
Federal agencies face strict deadlines to patch critical security flaws actively exploited by threat actors, as CISA adds new vulnerabilities to its Known Exploited Vulnerabilities catalog.
Published: 2026-04-21 | Author: Patrick Mattos
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog, a crucial resource for identifying and prioritizing cybersecurity risks. This latest update includes eight distinct vulnerabilities, with a particular focus on three affecting Cisco Catalyst SD-WAN Manager. The inclusion signifies that these flaws have been observed in active exploitation campaigns, posing an immediate threat to organizations.
Federal Civilian Executive Branch (FCEB) agencies are now under directive to remediate these vulnerabilities. The deadlines are stringent: April 23, 2026, for the Cisco-related flaws, and May 4, 2026, for the remaining seven. This proactive measure by CISA aims to bolster national cybersecurity defenses against ongoing and emerging threats.
The KEV catalog serves as a critical tool for security teams, providing actionable intelligence on vulnerabilities that are not just theoretical but are actively being leveraged by malicious actors. Understanding the context of these exploits, including associated threat actors and observed attack chains, is vital for effective incident response and threat hunting.
Technical Context
The newly added vulnerabilities represent a range of security weaknesses across different software and hardware. Among the critical additions are three flaws impacting Cisco Catalyst SD-WAN Manager, with specific CVE identifiers not detailed in the source but noted as requiring attention by April 23, 2026.
Beyond the Cisco products, other notable additions include:
- CVE-2023-27351: This improper authentication vulnerability in PaperCut software has been linked to ransomware attacks, specifically involving the Cl0p and LockBit families. Its exploitation was attributed to the Lace Tempest threat group in April 2023.
- CVE-2024-27198: Affecting on-premise versions of JetBrains TeamCity, this vulnerability was added to the KEV catalog in March 2024. It's unclear if this flaw is being exploited in conjunction with other vulnerabilities or by the same actors.
- CVE-2025-32975: Threat actors have been observed weaponizing this vulnerability to target unpatched SMA systems, as reported by Arctic Wolf. The exact objectives of these campaigns remain under investigation.
- CVE-2025-48700 and CVE-2025-66376: These two vulnerabilities in ZCS (Zimbra Collaboration Suite) have been exploited by a threat actor identified as UAC-0233 since September 2025. Exploitation allows for arbitrary code execution without user interaction, enabling attackers to access sensitive mailbox contents, including correspondence, multi-factor authentication backup codes, and application passwords. CERT-UA tracks this activity under identifier UAC-0250.
- CVE-2026-20122 and CVE-2026-20128: Cisco reported awareness of the exploitation of these vulnerabilities in March 2026. An additional Cisco vulnerability, CVE-2026-20133, is also noted as being exploited in the wild, though Cisco's advisory has not yet been updated to reflect this.
The inclusion of these vulnerabilities in the KEV catalog indicates that proof-of-concept (POC) exploits are likely available or have been developed, making them prime targets for automated exploitation tools and opportunistic attackers.
Impact and Risk
The primary impact of these exploited vulnerabilities is the potential for unauthorized access, data breaches, and system compromise. For federal agencies, failure to patch by the mandated deadlines could lead to significant security incidents, potentially disrupting critical operations and exposing sensitive government data.
Organizations utilizing PaperCut, JetBrains TeamCity, SMA systems, and ZCS are at direct risk. The exploitation of ZCS vulnerabilities, for instance, has led to the exfiltration of sensitive mailbox contents, including multi-factor authentication backup codes and application passwords, which can facilitate further lateral movement and credential theft. The active exploitation of these flaws means that unpatched systems are vulnerable to immediate attack.
The severity of these vulnerabilities varies, with some allowing for arbitrary code execution, a critical risk that grants attackers significant control over compromised systems. The inclusion of these flaws in the KEV catalog elevates their priority for remediation efforts across all sectors, not just federal agencies.
Defensive Takeaways
Security teams should prioritize patching the vulnerabilities listed in CISA's KEV catalog, adhering to the provided deadlines. A robust vulnerability management program that includes timely patching and continuous monitoring for exploitation is essential.
For organizations using the affected software:
- Cisco Catalyst SD-WAN Manager: Apply vendor-issued patches immediately, especially by the April 23, 2026 deadline.
- PaperCut: Implement patches for CVE-2023-27351 to prevent unauthorized authentication and potential ransomware deployment.
- JetBrains TeamCity: Review security configurations and apply any available patches for CVE-2024-27198.
- SMA Systems: Ensure systems are patched against CVE-2025-32975 to prevent exploitation.
- Zimbra Collaboration Suite (ZCS): Prioritize patching for CVE-2025-48700 and CVE-2025-66376 to prevent arbitrary code execution and data exfiltration. Monitor for suspicious activity related to mailbox access and credential compromise.
Beyond patching, implementing network segmentation, strong access controls, and regular security audits can help mitigate the impact of successful exploits. Threat intelligence feeds that track newly disclosed vulnerabilities and active exploitation campaigns are also invaluable for proactive defense.