CISA Expands KEV Catalog With Eight New Entries
The US Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog on Monday, adding eight newly confirmed flaws — three of which had not previously been identified as actively exploited. The additions span products from Cisco, Kentico, Zimbra, Quest, JetBrains, and PaperCut, and federal agencies have been given tight deadlines to remediate the most urgent issues.
Cisco Catalyst SD-WAN Manager Flaws Under Active Exploitation
Among the most notable additions is CVE-2026-20133, a high-severity information disclosure vulnerability in Cisco Catalyst SD-WAN Manager. The flaw was patched in February and stems from insufficient access restrictions on the file system. If exploited, an attacker could access the API of an affected system and read data from the underlying operating system.
CVE-2026-20133 was disclosed in February alongside two companion vulnerabilities — CVE-2026-20122 and CVE-2026-20128 — both of which are also SD-WAN flaws. Cisco itself flagged CVE-2026-20122 and CVE-2026-20128 as actively exploited back in March. CISA has now added all three to the KEV catalog simultaneously.
Kentico Xperience Path Traversal and RCE Bug
CISA also confirmed active exploitation of CVE-2025-2749, a vulnerability in Kentico Xperience that enables remote code execution (RCE) through a combination of path traversal and arbitrary file upload. The flaw exists because the Staging Sync Server in Kentico Xperience versions 13.0.178 and prior would upload arbitrary files to path-relative locations without adequate restrictions.
Exploitation of this vulnerability does require authentication, which raises the bar slightly for attackers. However, the risk remains significant given the RCE potential.
Kentico's vulnerabilities were already on security researchers' radar. In March of last year, WatchTowr detailed how attackers could chain three separate Kentico flaws — including an authenticated RCE issue — to fully compromise deployments. Two of those earlier flaws, CVE-2025-2746 and CVE-2025-2747, were added to CISA's KEV catalog in October. With this week's addition of CVE-2025-2749, a third member of that chain has now been formally cataloged as exploited.
Zimbra Classic UI XSS Bug Enables JavaScript Execution
The Zimbra vulnerability added to KEV this week is CVE-2025-48700, a cross-site scripting (XSS) flaw residing in the Zimbra Collaboration Suite (ZCS) Classic UI. The vulnerability arises from insufficient sanitization of HTML content and can be triggered when a user opens a specially crafted message within the Classic UI interface.
Successful exploitation allows an attacker to execute arbitrary JavaScript code within the victim's active session — a capability that can be leveraged for session hijacking, credential theft, or further lateral movement within an organization's environment.
Three Additional Flaws Rounding Out the Eight
The remaining three vulnerabilities added to CISA's KEV catalog on Monday include:
- CVE-2025-32975 — A critical vulnerability in Quest KACE, flagged last month as potentially exploited in the wild.
- CVE-2024-27199 — A weakness in JetBrains TeamCity that has reportedly been under active exploitation for more than two years.
- CVE-2023-27351 — A defect in PaperCut that has been exploited since at least April 2023.
These additions reinforce a recurring pattern in CISA's KEV updates: older, well-documented flaws continue to be exploited long after their initial disclosure, underscoring the importance of consistent patch management even for vulnerabilities that may no longer dominate headlines.
Remediation Deadlines for Federal Agencies
CISA has issued specific patching deadlines for federal agencies falling under the directive's scope. The Cisco and Zimbra vulnerabilities must be remediated by April 23, reflecting their higher urgency. The remaining four issues — including the Kentico, Quest KACE, JetBrains TeamCity, and PaperCut flaws — carry a deadline of May 4.
While the KEV deadlines are binding only for federal civilian executive branch agencies, CISA strongly encourages all organizations to treat the catalog as a prioritization guide for their own vulnerability management programs. Given that many of these flaws have been actively weaponized for months or even years, organizations running affected products should treat patching as an immediate priority regardless of regulatory obligation.
Broader Context: Persistent Exploitation of Known Vulnerabilities
The latest KEV additions highlight a persistent challenge for defenders: threat actors continue to exploit both newly disclosed flaws and older, long-patched vulnerabilities with equal effectiveness. The presence of CVE-2023-27351 — a PaperCut flaw dating back to 2023 — on a 2025 active exploitation list demonstrates that unpatched legacy systems remain a viable attack surface years after fixes become available.
Organizations are advised to audit their environments promptly, verify patch status for all eight newly listed CVEs, and ensure compensating controls are in place for any systems that cannot be immediately updated.
Source: SecurityWeek