The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog with eight newly confirmed, actively exploited vulnerabilities, spanning print management software, CI/CD pipelines, CMS platforms, endpoint management appliances, enterprise email platforms, and core networking infrastructure.
The additions underscore the growing urgency for both federal agencies and private organizations to accelerate their vulnerability remediation cycles.
The KEV Catalog, established under Binding Operational Directive (BOD) 22-01, serves as a curated, living list of CVEs confirmed to be actively exploited in the wild.
Under BOD 22-01, all Federal Civilian Executive Branch (FCEB) agencies are legally mandated to remediate catalog entries by specified due dates to protect federal networks against active threat actors.
While the directive technically applies only to FCEB agencies, CISA strongly urges all private-sector and critical infrastructure organizations to treat KEV entries as high-priority remediation targets within their vulnerability management programs. Each of the eight newly added vulnerabilities represents a distinct attack surface across widely deployed enterprise software.
CVE-2023-27351: PaperCut NG/MF Improper Authentication
This authentication bypass vulnerability in PaperCut NG and MF (version 15.0 and later) resides in the SecurityRequestFilter class, where a flawed implementation of the authentication algorithm allows remote, unauthenticated attackers to access the system entirely without credentials.
Successful exploitation enables access to sensitive data, including user names, email addresses, department records, access card numbers, and hashed passwords of locally created accounts. No user interaction is required, making this particularly dangerous on internet-facing print servers.
CVE-2024-27199: JetBrains TeamCity Relative Path Traversal
Affecting JetBrains TeamCity versions before 2023.11.4, this path traversal vulnerability (CWE-22) carries a CVSS score of 7.3 (High). Attackers exploit double-dot path segments (e.g., /res/../admin/diagnostic.jsp) to bypass authentication on normally protected API endpoints.
Enabling unauthorized access to diagnostic data and the ability to upload rogue HTTPS certificates and alter server port configurations. The research team first identified this flaw in February 2024, and post-exploitation chains have been observed delivering Jasmin ransomware payloads.
CVE-2025-2749: Kentico Xperience Path Traversal
This path traversal vulnerability in Kentico Xperience CMS enables attackers to navigate outside the web root and access or modify restricted server files.
Combined with related Kentico authentication bypass CVEs (CVE-2025-2746, CVE-2025-2747), exploitation can fully compromise CMS-driven web infrastructure.
CVE-2025-32975: Quest KACE SMA Improper Authentication (CVSS 10.0)
Rated a perfect CVSS score of 10.0, this critical authentication bypass in Quest KACE Systems Management Appliance (SMA) versions 13.0.x through 14.1.x exploits a flaw in the SSO authentication handling mechanism.
Attackers can impersonate any legitimate user without valid credentials, enabling them to take complete administrative control of the endpoint management appliance.
Active exploitation was first detected the week of March 9, 2026, targeting unpatched SMA systems exposed to the internet, though the ultimate goals of these attacks remain under investigation.
CVE-2025-48700: Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting
This stored or reflected XSS vulnerability in Zimbra Collaboration Suite allows threat actors to inject and execute malicious scripts within the context of authenticated user sessions.
ZCS is widely deployed across government and enterprise email environments, making XSS flaws high-value attack vectors for session hijacking, credential theft, and phishing pivots.
CVE-2026-20122, CVE-2026-20128, CVE-2026-20133: Cisco Catalyst SD-WAN Manager Triple Threat
Three concurrent vulnerabilities in Cisco Catalyst SD-WAN Manager (formerly vManage) are now confirmed to have been exploited in the wild:
- CVE-2026-20122 — An incorrect use of privileged APIs allows authenticated attackers to overwrite files on affected systems. Researchers successfully weaponized to upload a webshell
- CVE-2026-20128 — A flaw in the Data Collection Agent (DCA) feature enables authenticated, local attackers to escalate privileges to the DCA user level
- CVE-2026-20133 — Exposure of sensitive information to unauthorized actors, enabling credential harvesting and lateral movement
Cisco confirmed active exploitation of CVE-2026-20122 and CVE-2026-20128 in late February 2026, urging customers to apply the latest security updates immediately.
KEV Update
The breadth of this eight-CVE batch signals a multi-front attack campaign by threat actors simultaneously targeting print infrastructure, CI/CD pipelines, CMS platforms, endpoint management, email collaboration, and enterprise WAN management.
The window between vulnerability disclosure and active exploitation has effectively collapsed in some cases, and weaponized exploits appear within days of public disclosure. Standard monthly patching cycles are no longer sufficient for internet-exposed management consoles and enterprise software.
Recommended Remediation
Security teams should act immediately with these prioritized steps:
- Patch PaperCut NG/MF to a version beyond the affected range, and audit user account access logs for unauthorized access
- Upgrade JetBrains TeamCity to version 2023.11.4 or later and review server certificates for unauthorized changes
- Apply Quest KACE SMA patches (13.0.385+, 13.1.81+, 13.2.183+, 14.0.341+, or 14.1.101+) to close the CVSS 10.0 SSO bypass
- Update Cisco Catalyst SD-WAN Manager to the latest patched release and audit privileged API access logs for anomalies
- Audit Zimbra ZCS configurations for stored XSS injection points and implement Content Security Policy (CSP) headers
- Automate KEV feed ingestion via API into your SIEM or vulnerability management platform for real-time alerting
- Prioritize internet-exposed assets and conduct post-patch validation to confirm full remediation
FAQ
Q1: Who must comply with CISA’s KEV remediation deadlines?
Only Federal Civilian Executive Branch (FCEB) agencies are legally required under BOD 22-01, but CISA strongly urges all organizations to follow the same timelines.
Q2: What is the most critical vulnerability in this batch?
CVE-2025-32975 in Quest KACE SMA has a CVSS score of 10.0 and allows a complete administrative takeover without credentials.
Q3: Are Cisco SD-WAN vulnerabilities exploitable without authentication?
CVE-2026-20122 and CVE-2026-20128 require valid credentials, but successful exploitation enables privilege escalation and file overwrite, leading to deeper system compromise.
Q4: How quickly are KEV-listed vulnerabilities weaponized after disclosure?
Threat actors now weaponize exploits within days of public disclosure, rendering standard monthly patch cycles insufficient for high-risk assets.
Site: http://thecybrdef.com
About the Author
