CISA Adds 8 Flaws to KEV: Cisco and PaperCut Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding eight distinct security flaws currently under active exploitation by threat actors. This update, reported according to The Hacker News, mandates that federal agencies address these security gaps by specific deadlines reaching into May 2026. The inclusion of these vulnerabilities highlights a persistent trend where legacy CVE entries and high-impact enterprise management software remain primary targets for APT groups and cybercriminals.

Critical Flaws in Cisco Catalyst SD-WAN Manager

Among the new additions are three significant vulnerabilities affecting Cisco Catalyst SD-WAN Manager. These flaws represent a major risk to network orchestration and centralized management. In environments where SD-WAN controllers are exposed to the public internet, attackers can potentially bypass authentication or gain Privilege Escalation to manipulate network traffic routing. Security teams should prioritize a Cisco Catalyst SD-WAN Manager security update to ensure that management interfaces are not susceptible to unauthorized command execution. The compromise of an SD-WAN manager is particularly dangerous as it can lead to broad network visibility and control for an adversary.

The Persistence of PaperCut Exploitation

The KEV update also highlights CVE-2023-27351, an improper authentication vulnerability in PaperCut MF and NG. With a CVSS score of 8.2, this flaw allows unauthenticated attackers to gain remote access to the PaperCut application server. Historically, this specific vulnerability has been a precursor to Ransomware deployment, as it provides a foothold for Lateral Movement within the internal network.

Defenders researching how to detect CVE-2023-27351 exploit activity should monitor for unusual child processes spawned by the PaperCut service (pc-app.exe) or unexpected outbound network connections from print servers. Because print management software often holds high-level permissions and interacts with sensitive user directories, it is a high-value target for achieving RCE.

Strategic Implications and How to Remediate KEV Vulnerabilities April 2026

The CISA KEV catalog serves as a directive for Federal Civilian Executive Branch (FCEB) agencies, but it is also a vital resource for SOC teams in the private sector. The presence of a vulnerability in the KEV catalog indicates confirmed evidence of exploitation, moving it to the top of the remediation queue regardless of its base severity score.

To effectively remediate KEV vulnerabilities April 2026 deadlines require, organizations must adopt a risk-based patching cycle. This involves:

• Identifying all instances of Cisco Catalyst SD-WAN Manager and PaperCut software across the entire corporate infrastructure.
• Reviewing IoC data associated with recent exploitation campaigns to check for existing compromises before patching.
• Implementing Zero Trust principles by restricting access to management consoles via authenticated gateways or isolated management networks.

Furthermore, mapping these threats to the MITRE ATT&CK framework can help EDR and SIEM administrators create more effective detection rules. By focusing on the TTP used by actors exploiting these flaws, defenders can identify malicious behavior even if specific signatures are bypassed. Timely patching and the reduction of the attack surface remain the most effective defenses against these actively exploited vulnerabilities.