Introduction to CISAs Expanded KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This decision underscores a direct acknowledgment of active exploitations and the urgent need for patching. Among these additions, three vulnerabilities in Cisco Catalyst SD-WAN Manager stand out due to their high-severity ratings and recent discovery. These flaws highlight how improper file system access restrictions could allow attackers to manipulate APIs and extract sensitive operating system details. The inclusion of these vulnerabilities reflects an evolving threat landscape that demands proactive security measures.
The catalog updates also emphasize vulnerabilities in Kentico Xperience, Zimbra Collaboration Suite, Quest KACE, JetBrains TeamCity, and PaperCut. Each entry represents a critical gap in system defenses that malicious actors have already exploited. CISAs mandate for federal agencies to patch these issues by specific deadlines further stresses their significance. Any delay leaves systems dangerously exposed to attacks.
Dissecting the Cisco Catalyst SD-WAN Vulnerabilities
Three vulnerabilities in Ciscos SD-WAN Manager-CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128-were patched earlier this year. However, their addition to the KEV catalog signals that these flaws have been actively targeted in real-world attacks. The most alarming of these, CVE-2026-20133, enables attackers to exploit weak file system access controls and read sensitive system-level data. This could pave the way for reconnaissance and further exploitation.
While authentication is required for exploitation, this prerequisite offers limited protection against skilled attackers. Techniques such as credential stuffing or phishing campaigns could bypass this layer of security. Federal agencies and enterprises using Cisco SD-WAN Manager should immediately verify patch deployment to prevent unauthorized access.
Kentico Xperience: Exploitable Path Traversal and File Upload Flaws
The Kentico Xperience vulnerability, CVE-2025-2749, is a glaring example of how path traversal and arbitrary file upload flaws can lead to server-side code execution. Exploitation requires authentication, but as demonstrated in previous attacks, chaining vulnerabilities can circumvent even authenticated access. This underscores the importance of layered security controls and rigorous vulnerability management.
WatchTowrs analysis last year revealed that attackers could chain multiple flaws to compromise Kentico deployments. Two related vulnerabilities, CVE-2025-2746 and CVE-2025-2747, were added to the KEV catalog months earlier. The delayed inclusion of CVE-2025-2749 raises questions about the timeliness of vulnerability prioritization. Organizations using Kentico must focus on comprehensive patching strategies to avoid becoming easy targets.
Exploiting Insufficient Sanitization in Zimbra Collaboration Suite
Insufficient input sanitization remains a recurring weakness in web applications, as demonstrated by CVE-2025-48700 in Zimbras Classic UI. This cross-site scripting (XSS) vulnerability allows attackers to execute JavaScript in a users session simply by sending a crafted email. The flaws simplicity is its greatest strength from an attackers perspective, as the exploitation vector is user interaction.
Organizations using Zimbra must implement stringent email filtering and user training programs to mitigate the risk of XSS attacks. The requirement to patch this vulnerability by April 23 further reflects its criticality. However, relying solely on patching without addressing broader sanitization issues leaves systems susceptible to future threats.
Quest KACE, JetBrains TeamCity, and PaperCut Vulnerabilities
CVE-2025-32975 in Quest KACE highlights the risks associated with insufficiently protected enterprise-level management systems. Such platforms often serve as high-value targets due to their privileged access to multiple endpoints. The flaws addition to the KEV catalog implies that attackers have already exploited it, potentially compromising a multitude of connected systems. Swift action to apply patches is non-negotiable for affected entities.
Similarly, CVE-2024-27199 and CVE-2023-27351 represent longstanding vulnerabilities in JetBrains TeamCity and PaperCut. The fact that these flaws have been exploited for extended periods-two years and several months, respectively-should alarm organizations relying on these tools. Their inclusion in the KEV catalog is a wake-up call to reassess existing security monitoring practices. Organizations must conduct immediate risk assessments to determine the extent of their exposure.
Concluding Thoughts on CISAs Patch Mandates
CISAs directive for federal agencies to patch the Cisco and Zimbra vulnerabilities by April 23, followed by the remaining issues by May 4, sets a clear timeline for mitigating these threats. Failure to comply not only risks compromise but also regulatory consequences. Private enterprises are equally vulnerable and must adhere to similar timelines.
The addition of these eight vulnerabilities to the KEV catalog reflects a reactive approach to cybersecurity. Organizations must transition towards predictive security models that emphasize early detection and patching. While CISAs efforts are commendable, they highlight the ongoing challenges in addressing vulnerabilities only after active exploitation. Comprehensive threat intelligence and proactive measures remain the cornerstone of effective cybersecurity practices.