CISA lists eight more exploited flaws

The Cybersecurity and Infrastructure Security Agency added eight more actively exploited flaws to its Known Exploited Vulnerabilities catalog on April 20. (cisa.gov) The new entries were CVE-2023-27351 in PaperCut NG/MF, CVE-2024-27199 in JetBrains TeamCity, CVE-2025-2749 in Kentico Xperience, CVE-2025-32975 in Quest KACE Systems Management Appliance, and CVE-2025-48700 in Synacor Zimbra Collaboration Suite. (cisa.gov) CISA also added three Cisco Catalyst SD-WAN Manager flaws: CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. The agency said all eight were backed by evidence of active exploitation. (cisa.gov) A software vulnerability is a bug that can let an attacker break in, steal data, or run code. The KEV catalog is CISA’s running list of bugs that attackers are already using in the wild. (cisa.gov 1) (cisa.gov 2) That list matters because Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to fix KEV-listed flaws by CISA’s deadline. CISA says the directive applies to software and hardware on federal systems, including systems hosted by third parties on an agency’s behalf. (cisa.gov) CISA says it adds a vulnerability to the catalog when it has reliable evidence that threat actors are actively using it against public or private organizations. The agency also says KEV should be used as a prioritization input by organizations beyond the federal government. (cisa.gov 1) (cisa.gov 2) The April 20 update came one week after CISA added seven other exploited flaws on April 13, including bugs affecting Microsoft Exchange Server, Microsoft Windows, Adobe Acrobat, and Fortinet products. (cisa.gov) CISA’s live catalog showed 1,583 entries when accessed on April 26, and several entries added on April 24 carried a May 8, 2026 due date for federal remediation. (cisa.gov) The practical message from the April 20 alert was simple: if these products are in your environment, CISA now treats those bugs as active threats, not theoretical ones. (cisa.gov)