CISA KEV Update: Eight New Vulnerabilities in Cisco, TeamCity, and Zimbra

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, according to CISA. This latest update includes eight CVE IDs that represent active risks to enterprise environments. These vulnerabilities span various software categories, including infrastructure management, collaborative platforms, and printing services, many of which provide attackers with a path toward RCE or full system compromise.

Mandatory Remediation for Federal Agencies

Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these specific vulnerabilities by established deadlines. While the directive is legally binding for federal entities, the SOC teams in private industry should treat these additions with equal urgency. The inclusion of these flaws in the KEV catalog indicates that CISA has verified evidence of active exploitation, suggesting that APT groups or opportunistic cybercriminals are currently leveraging these TTP sets in the wild.

Critical Analysis: Cisco Catalyst SD-WAN Manager Security Update

Among the most concerning additions are three vulnerabilities affecting Cisco Catalyst SD-WAN Manager: CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. The most severe of these, CVE-2026-20122, involves the incorrect use of privileged APIs, which could allow an unauthenticated attacker to gain unauthorized access to sensitive management functions. This type of flaw is particularly dangerous in SD-WAN environments where centralized management consoles control wide-area network routing and security policies.

Executing a Cisco Catalyst SD-WAN Manager security update is the primary defense against these threats. Failure to patch these management interfaces could result in unauthorized actors gaining visibility into network traffic or modifying configuration files, potentially facilitating Lateral Movement across the corporate backbone.

Addressing Legacy and Third-Party Risks

The update also highlights the persistence of older vulnerabilities that continue to provide high utility for attackers. CVE-2023-27351, an improper authentication vulnerability in PaperCut NG/MF, has been a frequent target for Ransomware affiliates. Its continued exploitation underscores the need for thorough asset inventory and patch verification for all peripheral office services.

Similarly, CVE-2024-27199 affects JetBrains TeamCity. This relative path traversal vulnerability allows attackers to bypass authentication and gain administrative control over the CI/CD server. Security researchers and defenders should prioritize learning how to detect CVE-2024-27199 exploit attempts by monitoring web server logs for unusual URL patterns involving directory traversal sequences aimed at administrative endpoints.

Synacor Zimbra Collaboration Suite XSS Mitigation

The inclusion of CVE-2025-48700, a XSS vulnerability in Synacor Zimbra Collaboration Suite, demonstrates that web-based interface flaws remain a viable entry point. While XSS is often viewed as a lower-priority threat, in the context of a collaboration suite, it can be used to steal session cookies or perform actions on behalf of authenticated users. Implementing a Synacor Zimbra Collaboration Suite XSS mitigation strategy, including updating to the latest patch level and enforcing strict Content Security Policies (CSP), is essential for protecting sensitive internal communications.

Recommendations for Defenders

To align with the MITRE ATT&CK framework and reduce the organizational attack surface, defenders should:

• Audit all internet-facing instances of Quest KACE SMA for CVE-2025-32975 and Kentico Xperience for CVE-2025-2749.
• Prioritize patching based on the KEV catalog, as these vulnerabilities represent the highest probability of near-term exploitation.
• Utilize EDR and SIEM solutions to monitor for anomalous parent-child process relationships originating from management software and web servers.