CISA added eight vulnerabilities to its Known Exploited Vulnerabilities catalogue on 20 April 2026, the single largest KEV update this month. The batch is notable for the breadth of platforms represented β spanning print management software, continuous integration infrastructure, content management systems, endpoint management appliances, and SD-WAN orchestration β and for the range of ages among the confirmed exploited CVEs, which span publication dates from 2023 to 2026. Federal agencies are required to remediate under BOD 22-01; the same priorities serve as a risk signal for any organisation running these platforms.
Cisco Catalyst SD-WAN Manager: Three More CVEs Confirmed Exploited
Three Cisco Catalyst SD-WAN Manager vulnerabilities join the KEV catalogue alongside CVE-2026-20127, which is already tracked under CISA Emergency Directive 26-03 and carries a CVSS score of 10.0.
CVE-2026-20122 arises from incorrect use of privileged APIs in the SD-WAN Manager web interface. An attacker who exploits this flaw can upload a malicious file to the local filesystem and use it to overwrite arbitrary system files, ultimately gaining vmanage user privileges β the administrative role for SD-WAN orchestration. Full vmanage access provides control over routing policy, branch connectivity, and tunnel configurations across the entire SD-WAN fabric.
CVE-2026-20128 affects the Data Collection Agent (DCA) feature in SD-WAN Manager. An authenticated local attacker can exploit this flaw to gain DCA user privileges, which β when combined with other access β extends the attackerβs foothold on the SD-WAN management host. Ciscoβs PSIRT confirmed active exploitation of both CVE-2026-20122 and CVE-2026-20128 in early March 2026.
CVE-2026-20133 is an information disclosure flaw in SD-WAN Manager that allows an unauthenticated actor to access sensitive information from the management interface. When combined with the authentication bypass in CVE-2026-20127, this flaw provides unauthenticated read access to data that should be protected behind administrative authentication.
Organisations running Cisco SD-WAN should treat this as an extension of the ED 26-03 scope. The additional three CVEs in the KEV signal that threat actors are using a multi-vulnerability approach against SD-WAN infrastructure β patch all four SD-WAN CVEs together and conduct the compromise assessment outlined in CISAβs supplemental hunt guidance.
PaperCut NG/MF: 2023 Authentication Bypass Still Weaponised (CVE-2023-27351)
CVE-2023-27351 is a three-year-old improper authentication vulnerability in PaperCut NG and PaperCut MF, the widely deployed print management platforms used across education, enterprise, and government. The vulnerability allows unauthenticated attackers to access protected functionality. PaperCut print management systems are commonly deployed in environments with large numbers of shared printers and frequently fall outside the main patch management cadence because they are not internet-facing by design.
The reappearance of a 2023 CVE in the KEV catalogue confirms the persistence of exploitation attempts against organisations that have never applied available patches. PaperCut released fixes for this vulnerability in 2023 β organisations still running unfixed versions should treat this as active risk.
JetBrains TeamCity: CI/CD Pipeline Access via Path Traversal (CVE-2024-27199)
CVE-2024-27199 is a relative path traversal vulnerability in JetBrains TeamCity, the CI/CD platform deployed in many software development organisations. Path traversal in TeamCity can expose build configuration files, stored secrets (API keys, signing certificates, container registry tokens), and administrative access to build pipelines. TeamCity vulnerabilities have been previously exploited by state-sponsored actors β CISAβs confirmation of exploitation in the wild should be treated as an elevated-risk signal for organisations running development infrastructure.
Enterprise Management Platforms: Quest KACE and Kentico Xperience
CVE-2025-32975 affects the Quest KACE Systems Management Appliance (SMA), an endpoint management and IT asset management tool used extensively in mid-market and enterprise environments. The improper authentication flaw allows attackers to impersonate legitimate users without valid credentials, providing unauthorised access to endpoint configuration, software deployment, and inventory data.
CVE-2025-2749 is a path traversal vulnerability in Kentico Xperience, a content management system deployed in many marketing and enterprise web teams. An authenticated attacker can use the Staging Sync Server feature to upload arbitrary data to path-relative locations on the server, which can be leveraged for persistent access or code execution depending on the target path.
What This Batch Signals for Vulnerability Prioritisation
The April 20 KEV additions illustrate a consistent pattern: confirmed exploitation reaches platforms that are operationally important but frequently deprioritised in patching cycles. Print management, CI/CD infrastructure, CMS platforms, and endpoint management appliances often fall outside centralised patch management tooling and are treated as lower urgency than perimeter systems and servers.
For organisations that use CISA KEV as a risk signal β even absent BOD 22-01 obligations β the practical conclusion from this batch is:
- Expand patch scope beyond perimeter and server infrastructure: systems like PaperCut, TeamCity, KACE SMA, and Kentico require the same patching discipline as internet-facing gateways
- Audit Cisco SD-WAN for the full CVE-2026-20127 / ED 26-03 scope, now including CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133
- Treat KEV additions as a prioritisation override: any KEV-listed vulnerability should jump to the head of the remediation queue regardless of CVSS score, because confirmed exploitation in the wild is a direct risk signal that scoring models cannot replicate
Share this article