The Cybersecurity and Infrastructure Security Agency has pushed eight actively exploited vulnerabilities onto its Known Exploited Vulnerabilities catalog with sub-three-week federal remediation deadlines, per reporting from The Hacker News on April 21, 2026. Three of the eight are clustered in a single product — Cisco Catalyst SD-WAN Manager — and the rest pull together a list of older bugs that have re-entered active exploitation under new operator names.
The three Cisco bugs, due April 23
CISA’s tightest deadline applies to a trio of Cisco Catalyst SD-WAN Manager flaws: CVE-2026-20122 (CVSS 5.4), an arbitrary file-upload defect; CVE-2026-20128 (CVSS 7.5), a password-storage flaw; and CVE-2026-20133 (CVSS 6.5), an information-disclosure bug. Cisco confirmed in March 2026 that two of the three were already being exploited in the wild, and the federal remediation deadline is April 23, 2026 — barely a week of operational slack from the KEV listing.
The CVSS scores understate the operational risk. Catalyst SD-WAN Manager is the policy plane for the WAN fabric in many federal civilian deployments; chained file-upload plus stored-credential access is a recipe for persistence on the device that controls site-to-site tunnels. Treat any unpatched controller as a single high-value asset rather than three medium-severity bugs.
Five legacy CVEs back in the operator playbook, due May 4
The other five are older flaws whose presence on KEV reflects that operators have re-tooled around them rather than that the bugs are new:
- CVE-2023-27351 (PaperCut NG/MF, CVSS 8.2) — historically chained by Cl0p and LockBit affiliates, and recently reused by the Lace Tempest cluster.
- CVE-2024-27199 (JetBrains TeamCity, CVSS 7.3) — a path-traversal bug that gives anonymous build-server access; relevant given the past year’s run of build-system supply-chain incidents.
- CVE-2025-2749 (Kentico Xperience, CVSS 7.2) — path traversal in a CMS still common in mid-market public-sector tenants.
- CVE-2025-32975 (Quest KACE SMA, CVSS 10.0) — authentication bypass observed by Arctic Wolf being weaponized against unpatched systems-management appliances.
- CVE-2025-48700 (Synacor Zimbra Collaboration Suite, CVSS 6.1) — a stored-XSS flaw that CERT-UA attributes to UAC-0233 in operations against Ukrainian entities since September 2025. Per CERT-UA’s H2 2025 report, “upon successful compromise, the attackers gained access to mailbox contents…multi-factor authentication backup codes, application passwords, and the global address book.”
All five carry a federal remediation deadline of May 4, 2026.
What this means
For federal civilian agencies, BOD 22-01 turns these eight CVEs into hard fix-or-mitigate orders inside the next two weeks. For the much larger universe of organizations that voluntarily track KEV as a prioritization signal, the message is more pointed: low-CVSS does not mean low-risk when an entry lands on KEV. CVE-2026-20122 is a 5.4, and CVE-2025-48700 is a 6.1 — both are being used right now in chained operations, which is exactly the gap that pure-CVSS triage misses.
Two practical moves: pull KEV diffs into the same daily exposure-management workflow that consumes Microsoft and Adobe advisories, and audit Cisco SD-WAN Manager, PaperCut, and Zimbra deployments specifically — those three products account for half of this batch and the bulk of the post-exploitation impact.
