CISA Adds Eight Exploited Vulnerabilities to KEV Catalog Including Three Cisco SD-WAN Manager Flaws and Quest KACE CVSS 10.0

CISA added eight new vulnerabilities to its Known Exploited Vulnerabilities catalog on Monday, setting aggressive federal patching deadlines after confirming active exploitation across a range of enterprise products. Three of the flaws target Cisco Catalyst SD-WAN Manager, while the remaining five affect Quest KACE, PaperCut, JetBrains TeamCity, Kentico Xperience, and Zimbra Collaboration Suite.

The most critical addition is CVE-2025-32975, a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance that allows attackers to impersonate legitimate users without valid credentials. Arctic Wolf reported observing unknown threat actors exploiting the flaw against unpatched SMA systems as recently as last month, though the end goals of those campaigns remain unclear. ZDW previously covered this vulnerability when it was first disclosed in March.

The three Cisco Catalyst SD-WAN Manager flaws represent a cluster of related weaknesses in the same product. CVE-2026-20122 allows authenticated attackers to upload and overwrite arbitrary files to gain vmanage user privileges through improper use of privileged APIs. CVE-2026-20128 exposes stored credentials in a recoverable format, enabling local attackers to escalate to DCA user privileges. CVE-2026-20133 leaks sensitive information to remote unauthenticated attackers. Cisco confirmed it became aware of exploitation of the first two flaws in March 2026 but has not yet updated its advisory to reflect in-the-wild abuse of CVE-2026-20133.

The remaining additions include CVE-2023-27351, a PaperCut NG/MF authentication bypass previously linked to Lace Tempest in campaigns delivering Cl0p and LockBit ransomware in 2023. CVE-2024-27199 is a path traversal flaw in JetBrains TeamCity — notably, CISA added a related TeamCity vulnerability (CVE-2024-27198) to the KEV catalog back in March 2024, raising questions about whether both are being chained by the same threat actor. CVE-2025-2749 targets Kentico Xperience with a path traversal that enables arbitrary file uploads via the Staging Sync Server. CVE-2025-48700 is a cross-site scripting flaw in Zimbra Collaboration Suite that enables session-based JavaScript execution.

Federal agencies face a split deadline: the three Cisco SD-WAN Manager vulnerabilities must be remediated by April 23, while the remaining five carry a May 4 deadline.

Mitigation:

The April 23 deadline for the Cisco SD-WAN Manager flaws is effectively immediate — organizations running Catalyst SD-WAN Manager should prioritize these patches above all else this week. Quest KACE SMA operators who have not yet patched CVE-2025-32975 since its March disclosure are now confirmed targets of active exploitation and should treat remediation as emergency priority. Review PaperCut and TeamCity deployments for signs of prior compromise given the historical ransomware associations with these vulnerabilities. Apply Kentico and Zimbra updates per vendor guidance before the May 4 deadline.