Changeflow GovPing Data Privacy & Cybersecurity CISA Adds Eight Known Exploited Vulnerabilities...
Routine Notice Added Final

CISA Adds Eight Known Exploited Vulnerabilities to Catalog

Favicon for www.cisa.gov US CISA Advisories
Published
Detected
Email

Summary

CISA added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on April 20, 2026. The vulnerabilities include CVE IDs for PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager. CISA cites evidence of active exploitation and notes these are frequent attack vectors posing significant risk to the federal enterprise.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

CISA , verbatim from source
Published by CISA on cisa.gov . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .
View original document View source feed page

What changed

CISA added eight new CVE entries to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The added vulnerabilities affect PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and three Cisco Catalyst SD-WAN Manager vulnerabilities.

Federal Civilian Executive Branch agencies are subject to remediation requirements under BOD 22-01 for these newly listed vulnerabilities. All organizations should review their systems against the new CVE entries and prioritize timely remediation as part of their vulnerability management practice.

Archived snapshot

Apr 20, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Alert

CISA Adds Eight Known Exploited Vulnerabilities to Catalog

Release Date

April 20, 2026

CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability
  • CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability
  • CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability
  • CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
  • CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
  • CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
  • CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
  • CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Mentioned entities

Cybersecurity and Infrastructure Security Agency

Related changes

Favicon for www.cisa.gov CISA Adds Apache ActiveMQ Code Injection Vulnerability CVE-2026-34197 to Known Exploited Vulnerabilities Catalog
Urgent Apr 17, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CVE-2026-34197 Apache ActiveMQ Improper Input Validation Vulnerability Added to KEV Catalog
Priority review Apr 17, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Anviz CX2 Lite, CX7, CrossChex Access Control Devices Multiple Critical and High Vulnerabilities
Priority review Apr 17, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity

Get daily alerts for US CISA Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cisa.gov
US CISA Advisories cisa.gov/news-events/cybersecurity-advisories
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CISA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CISA
Published
April 20th, 2026
Instrument
Notice
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Minor

Who this affects

Applies to
Government agencies Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability remediation Cybersecurity compliance Threat mitigation
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Critical Infrastructure

Browse Categories

Agriculture & Food Safety 73 Banking & Finance 406 Consumer Protection 89 Courts & Legal 411 Data Privacy & Cybersecurity 89 Defense & National Security 53 Education 55 Energy 100 Environment 151 Gaming 2 Government & Legislation 430 Healthcare 15 Healthcare & Life Sciences 375 Immigration 10 Insurance 75 Labor & Employment 132 Pharma & Drug Safety 21 Professional Licensing 7 Real Estate & Housing 77 Securities & Markets 153 Tax 78 Telecom & Technology 50 Trade & Sanctions 141 Transportation 91

Get alerts for this source

We'll email you when US CISA Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!