CISA Adds Eight KEVs

CISA on April 20 added eight more bugs to the federal government’s list of vulnerabilities that attackers are already exploiting. (cisa.gov) The new entries span PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Zimbra Collaboration Suite, and three flaws in Cisco Catalyst SD-WAN Manager. CISA listed them as CVE-2023-27351, CVE-2024-27199, CVE-2025-2749, CVE-2025-32975, CVE-2025-48700, CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. (cisa.gov) CISA’s Known Exploited Vulnerabilities catalog is the federal government’s running list of software flaws with reliable evidence of real-world abuse. Under Binding Operational Directive 22-01, federal civilian agencies have to fix listed flaws by CISA’s deadline. (cisa.gov) For this batch, CISA set May 4, 2026 due dates for the TeamCity and KACE entries, while the Cisco SD-WAN items were added with instructions to follow CISA’s separate emergency guidance for those devices. The catalog says organizations outside government should also use the list to prioritize patching because the vulnerabilities are already being used in attacks. (cisa.gov) A KEV entry is not a theoretical warning. CISA says it adds a vulnerability only when it has reliable evidence that threat actors are actively exploiting it against public or private organizations. (cisa.gov) Several of the products on this week’s list are core admin tools. TeamCity runs software build pipelines, KACE manages endpoints, Zimbra handles email and collaboration, and Cisco SD-WAN Manager controls wide-area network gear across branch offices and data centers. (jetbrains.com) (quest.com) (zimbra.com) (cisco.com) Two of the older bugs on the list show why CISA keeps revisiting past disclosures. JetBrains said CVE-2024-27199 could let an unauthenticated attacker bypass authentication and gain administrative control of an on-premises TeamCity server, and PaperCut said CVE-2023-27351 could let an unauthenticated attacker remotely pull user information from exposed servers. (jetbrains.com) (papercut.com) Cisco’s advisory for the SD-WAN group said the flaws could let an attacker access an affected system, raise privileges to root, view sensitive information, and overwrite arbitrary files. Cisco said software updates are available and that no workarounds address the vulnerabilities. (cisco.com) The KEV catalog contained 1,577 entries when CISA’s page was crawled today, which shows how often defenders are dealing with old bugs that stay useful to attackers long after disclosure. Monday’s update adds eight more deadlines to a list that agencies are expected to treat as immediate patch work, not backlog. (cisa.gov)