Cisco, Zimbra, Kentico exploited

Cisco, Zimbra and Kentico customers are being told to patch now after vendors disclosed critical flaws that attackers are already using. (cisco.com) (wiki.zimbra.com) (devnet.kentico.com) At Cisco, the latest alert covers Identity Services Engine, the product many companies use to decide which devices can join a corporate network. Cisco said on April 15, 2026 that CVE-2026-20147 and CVE-2026-20148 carry a CVSS score of 9.9 and can let an authenticated attacker run code or traverse files on ISE and ISE-PIC systems. (cisco.com) Cisco said those April 2026 bugs require valid administrative credentials, but a successful attack can still end with root-level access and, in single-node deployments, knock the ISE node offline. Cisco also said there are no workarounds, only fixed software releases. (cisco.com) That warning lands after Cisco spent much of 2025 and 2026 issuing ISE fixes, including a June 25, 2025 advisory for unauthenticated remote-code-execution bugs with a CVSS score of 10.0. In that case, Cisco said releases 3.3 and 3.4 were affected and urged customers to move to newer patched builds, including 3.3 Patch 7 and 3.4 Patch 2. (cisco.com) Zimbra’s case is different because the company’s advisory page rolls many fixes into release notes instead of a single “actively exploited” bulletin. Its current guidance tells administrators to update supported versions immediately and warns that older unsupported versions often share the same flaws. (wiki.zimbra.com) The newest Zimbra fixes, shipped in version 10.1.16, include CVE-2026-33368, CVE-2026-33369, CVE-2026-33370, CVE-2026-33371 and CVE-2026-33372, covering cross-site scripting, LDAP injection, XML external entity processing and cross-site request forgery. The same advisory list also shows earlier fixes for CVE-2025-66376, CVE-2025-67809 and CVE-2025-68645 in 10.1.13 and 10.0.18. (wiki.zimbra.com) Kentico’s warning centers on Xperience 13, a content-management and digital-experience platform used to run websites and customer portals. Its security patch feed says a 2025 hotfix addressed a staging authentication bypass tied to a third-party library and noted that the flaw had been exploited through a different attack path than one fixed in hotfix 13.0.173. (devnet.kentico.com) Kentico said only instances with staging enabled were affected, and it published a temporary mitigation: block access to the staging endpoint at `/CMSPages/Staging/SyncServer.asmx` if the feature is not in use. The company’s documentation also says security fixes are incorporated into the latest release and recommends regular hotfixing. (devnet.kentico.com) (docs.kentico.com) The common thread is exposure in software that sits deep inside business operations: network access control at Cisco, email and collaboration at Zimbra, and public-facing web systems at Kentico. When those products lag on updates, attackers do not need to breach a laptop first; they can go straight at the management layer. (cisco.com) (wiki.zimbra.com) (docs.kentico.com) For defenders, the immediate work is basic and time-consuming: find every exposed instance, confirm the exact version, apply the vendor’s fixed build, and disable features that are not needed. The vendors’ own advisories leave little room for delay. (cisco.com) (wiki.zimbra.com) (docs.kentico.com)