Executive Summary
In April 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation. Notably, CVE-2023-27351, an improper authentication flaw in PaperCut NG/MF, allows attackers to bypass authentication via the SecurityRequestFilter class. Other vulnerabilities affect JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra, and Cisco Catalyst SD-WAN Manager. (thehackernews.com)
The inclusion of these vulnerabilities underscores the persistent threat posed by both new and longstanding security flaws. Organizations are urged to promptly apply patches to mitigate risks associated with these actively exploited vulnerabilities.
Why This Matters Now
The active exploitation of these vulnerabilities highlights the critical need for organizations to maintain up-to-date security measures. Immediate patching is essential to prevent potential breaches and safeguard sensitive information.
Attack Path Analysis
An attacker exploited CVE-2023-27351 in PaperCut MF to bypass authentication, gaining unauthorized access to the print management server. They escalated privileges by exploiting misconfigurations, allowing administrative control. The attacker moved laterally to other systems within the network, leveraging the compromised server. They established command and control channels to maintain persistent access. Sensitive data was exfiltrated from the network to external servers. Finally, the attacker deployed ransomware, encrypting critical files and disrupting operations.
Kill Chain Progression
Initial Compromise
Description
Exploited CVE-2023-27351 in PaperCut MF to bypass authentication and gain unauthorized access.
Related CVEs
CVE-2023-27351
CVSS 7.5An improper authentication vulnerability in PaperCut NG/MF allows remote attackers to bypass authentication, potentially leading to unauthorized access to sensitive information.
Affected Products:
PaperCut PaperCut NG/MF – 21.0.0 to 21.2.11
Exploit Status:
exploited in the wildCVE-2026-20122
CVSS 5.4An incorrect use of privileged APIs in Cisco Catalyst SD-WAN Manager allows an authenticated, remote attacker to execute arbitrary commands on the underlying operating system.
Affected Products:
Cisco Catalyst SD-WAN Manager – 18.3.1 to 20.9.3
Exploit Status:
exploited in the wildCVE-2026-20128
CVSS 7.5Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, which could allow an authenticated, remote attacker to retrieve and use these credentials.
Affected Products:
Cisco Catalyst SD-WAN Manager – 18.3.1 to 20.9.3
Exploit Status:
exploited in the wildCVE-2026-20133
CVSS 7.5An exposure of sensitive information to an unauthorized actor vulnerability in Cisco Catalyst SD-WAN Manager allows an authenticated, remote attacker to access sensitive information.
Affected Products:
Cisco Catalyst SD-WAN Manager – 18.3.1 to 20.9.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
External Remote Services
Exploit Public-Facing Application
Modify Authentication Process
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
SD-WAN infrastructure vulnerabilities expose critical network routing systems to exploitation, enabling lateral movement and data exfiltration across service provider networks.
Government Administration
CISA KEV mandate requires federal agencies to patch Cisco SD-WAN and PaperCut flaws by April-May 2026 deadlines or discontinue usage.
Financial Services
Banking networks using Cisco SD-WAN face authentication bypass risks enabling privilege escalation and potential compliance violations under regulatory frameworks.
Health Care / Life Sciences
Healthcare organizations risk HIPAA violations through PaperCut authentication flaws and SD-WAN vulnerabilities compromising patient data transmission security.
Sources
- CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlineshttps://thehackernews.com/2026/04/cisa-adds-8-exploited-flaws-to-kev-sets.htmlVerified
- CISA Adds Eight Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalogVerified
- PaperCut says hackers are exploiting 'critical' security flaws in unpatched servershttps://techcrunch.com/2023/04/25/papercut-hackers-critical-flaw-clop-ransomware/Verified
- Cisco Security Advisorieshttps://www.cisco.com/c/en/us/td/docs/security/psirt/psirt-security-advisory/2026/cisco-sa-sdwan-priv-api-2026-20122.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial exploitation, it could limit the attacker's ability to leverage the compromised server for further malicious activities.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing trust relationships.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely restrict the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely restrict unauthorized data exfiltration by controlling outbound traffic.
While Aviatrix CNSF may not prevent the deployment of ransomware, it could limit the spread and impact by containing the attack within segmented network zones.
Impact at a Glance
Affected Business Functions
- Print Management Services
- Network Management
Estimated downtime: 3 days
Estimated loss: $50,000
User credentials and sensitive configuration data
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Ensure timely patching of known vulnerabilities to mitigate exploitation risks.
