CISA Warns of Active Cisco SD-WAN Exploit (CVE-2026-20133)
▼ Summary
– CISA added eight new vulnerabilities to its Known Exploited Vulnerabilities catalog, including a Cisco flaw (CVE-2026-20133) not yet confirmed by Cisco as exploited.
– Three of the added flaws affect Cisco Catalyst SD-WAN Manager, with two (CVE-2026-20128 and CVE-2026-20122) confirmed by Cisco as actively exploited.
– The batch includes older, actively exploited flaws like a PaperCut vulnerability (CVE-2023-27351) used by a ransomware affiliate and a JetBrains TeamCity flaw (CVE-2024-27199).
– It also contains newer vulnerabilities, including a Kentico bug with no public exploitation and a Quest KACE flaw linked to observed malicious activity.
– CISA has mandated that all U.S. federal civilian agencies patch these eight vulnerabilities by April 20, 2026.
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with eight new entries, signaling active threats that require immediate attention. Among the most pressing is a Cisco Catalyst SD-WAN Manager flaw, tracked as CVE-2026-20133, which Cisco itself has not yet officially confirmed as being exploited in the wild. This particular vulnerability was highlighted earlier this year by researchers at VulnCheck, who warned it presented a higher risk than many defenders might assume and was likely already being targeted.
Two related Cisco SD-WAN Manager vulnerabilities, CVE-2026-20128 and CVE-2026-20122, were confirmed by Cisco as actively exploited in early March. CISA has now added all three to its catalog. While it remains unclear if CVE-2026-20133 was used in those same initial attacks, its inclusion on the list underscores a serious and ongoing risk to network infrastructure.
The latest KEV catalog update extends beyond Cisco, encompassing five other critical security flaws. These include CVE-2023-27351, a long-standing PaperCut NG/MF vulnerability exploited since 2023 by the Clop ransomware affiliate Lace Tempest. Also listed is CVE-2024-27199, a JetBrains TeamCity flaw that attackers have leveraged since early last year.
Three more recent vulnerabilities round out the group. CVE-2025-2749 is a bug in Kentico Xperience, though no public exploitation has been reported. More concerning is CVE-2025-32975, which affects Quest KACE Systems Management Appliances; security firm Arctic Wolf observed malicious activity potentially linked to its exploitation in March. Finally, CVE-2025-48700 is a zero-click cross-site scripting vulnerability in Synacor’s Zimbra Collaboration Suite. According to Ukraine’s State Special Communications Service, this flaw has been actively exploited since late September 2025.
In response to these confirmed threats, CISA has issued a binding directive, mandating that all US federal civilian agencies must patch or mitigate all eight vulnerabilities by April 20, 2026. This action highlights the agency’s focus on compelling defenders to address flaws that are not just theoretical but are being used in real-world attacks.
(Source: Help Net Security)
