CISA Adds 8 KEV Flaws

A software flaw is a bug with a catalog number; a Known Exploited Vulnerability is a bug attackers are already using. On April 20, the Cybersecurity and Infrastructure Security Agency added eight more of those flaws to its KEV list. (cisa.gov) The new entries span PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and three Cisco Catalyst SD-WAN Manager flaws. Federal Civilian Executive Branch agencies must fix five of them by April 23, 2026, and the three Cisco bugs by May 4, 2026, under Binding Operational Directive 22-01. (cisa.gov; thehackernews.com) The eight CVEs are CVE-2023-27351 in PaperCut; CVE-2024-27199 in TeamCity; CVE-2025-2749 in Kentico; CVE-2025-32975 in Quest KACE SMA; CVE-2025-48700 in Zimbra; and CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager. The reported impacts range from authentication bypass and path traversal to file overwrite, password exposure, and sensitive-information disclosure. (cisa.gov; thehackernews.com) CISA’s KEV catalog is not a list of every severe bug; it is a shortlist of vulnerabilities with a CVE number, evidence of active exploitation, and a clear fix such as a vendor patch. CISA says organizations should use the catalog to prioritize remediation because it tracks the subset of flaws “causing immediate harm” based on adversary activity. (cisa.gov; cisa.gov) That distinction drives federal deadlines. CISA says all federal civilian agencies are required to remediate KEV-listed vulnerabilities within prescribed timeframes, while state, local, tribal, territorial, and private-sector organizations are not bound by the directive but are urged to treat KEV entries as priority fixes. (cisa.gov; cisa.gov) Some of the newly listed bugs were already tied to public attack activity before this week’s KEV update. Microsoft said in March 2024 that attackers were exploiting TeamCity authentication-bypass and path-traversal flaws, and Arctic Wolf said in March 2026 that it observed threat actors exploiting the Quest KACE SMA bug against unpatched systems. (thehackernews.com; arcticwolf.com) The Cisco entries land against a separate federal warning from February. CISA issued an emergency directive on February 25, 2026 ordering agencies to secure Cisco SD-WAN devices after identifying a campaign that targeted end-of-life routers with a default credential and exposed management services. (cisa.gov; cisa.gov) The catalog itself has grown into a large operational watchlist. CISA’s public KEV page showed 1,569 entries on April 21, 2026, and the agency has posted multiple KEV additions this month, including seven flaws on April 13 and two more on April 14. (cisa.gov; cisa.gov; cisa.gov) The thread running through this week’s update is simple: once CISA moves a bug into KEV, it is no longer a theoretical weakness on a scanner report. It is a live intrusion path with a date on the calendar. (cisa.gov; cisa.gov)