Why is it important to address these vulnerabilities promptly?

These vulnerabilities are actively exploited by threat actors, posing significant risks to organizations, including potential data breaches and system compromises.

What actions should organizations take in response to this update?

Organizations should prioritize the remediation of these vulnerabilities by applying patches or implementing mitigations as recommended by the respective vendors.

CISA Adds Eight Exploited Vulnerabilities to KEV Catalog

Q: What products are affected by the newly added vulnerabilities?

The vulnerabilities affect PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager.

CISA has expanded its Known Exploited Vulnerabilities Catalog with eight new entries, urging organizations to address these actively exploited flaws to enhance cybersecurity defenses.

Published: April 21, 2026

Share this on:

Executive Summary

On April 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding eight new vulnerabilities, citing evidence of active exploitation. These vulnerabilities affect a range of products, including PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager. The inclusion of these vulnerabilities underscores the persistent threat posed by unpatched software flaws, which can serve as entry points for malicious actors to compromise systems and exfiltrate sensitive data.

The addition of these vulnerabilities to the KEV Catalog highlights the evolving landscape of cyber threats, where attackers continuously exploit both new and longstanding vulnerabilities. Organizations are urged to prioritize the remediation of these vulnerabilities to mitigate potential risks and enhance their cybersecurity posture.

Why This Matters Now

The inclusion of these vulnerabilities in the KEV Catalog emphasizes the immediate need for organizations to address these actively exploited flaws to prevent potential breaches and data loss.

Attack Path Analysis

Attackers exploited vulnerabilities in enterprise management tools to gain initial access, escalated privileges by exploiting misconfigurations, moved laterally across the network, established command and control channels, exfiltrated sensitive data, and caused operational disruptions.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

Medium

Impact

Medium

Initial Compromise

Description

Attackers exploited vulnerabilities in enterprise management tools such as PaperCut NG/MF (CVE-2023-27351) and JetBrains TeamCity (CVE-2024-27199) to gain unauthorized access.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2024-27199
CVSS 7.3
A path traversal vulnerability in JetBrains TeamCity before 2023.11.4 allows limited administrative actions.
Affected Products:
JetBrains TeamCity – < 2023.11.4
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-27199 https://www.jetbrains.com/privacy-security/issues-fixed/
CVE-2024-32975
CVSS 7.5
An integer underflow in Envoy's QuicStreamSequencerBuffer::PeekRegion() can lead to a crash.
Affected Products:
Envoy Envoy – unspecified
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-32975

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1059

Command and Scripting Interpreter

Discovery

T1087

Account Discovery

Credential Access

T1552

Unsecured Credentials

Credential Access

T1003

OS Credential Dumping

Command and Control

T1071

Application Layer Protocol

Impact

T1485

Data Destruction

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

Control ID: 6.2

The exploitation of known vulnerabilities indicates a failure to apply timely security patches, violating the requirement to protect systems from known threats.

NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments

Control ID: 500.05

The active exploitation of vulnerabilities suggests inadequate penetration testing and vulnerability assessments, as required to identify and remediate security weaknesses.

DORA – ICT Risk Management Framework

Control ID: Article 6

The incident highlights deficiencies in the ICT risk management framework, particularly in identifying and mitigating vulnerabilities in a timely manner.

CISA ZTMM 2.0 – Asset Management

Control ID: 3.1

The exploitation of vulnerabilities in critical systems indicates a lapse in asset management practices, essential for maintaining a zero trust architecture.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates a failure to implement appropriate cybersecurity risk management measures, as required to prevent and mitigate the impact of cyber threats.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Government Administration

Federal agencies face mandatory KEV remediation requirements under BOD 22-01, with SD-WAN and authentication vulnerabilities creating critical infrastructure exposure risks.

Information Technology/IT

JetBrains TeamCity and network management platforms present significant supply chain risks, requiring immediate patching of exploited authentication and traversal vulnerabilities.

Financial Services

Banking systems using affected collaboration and management platforms face regulatory compliance violations and potential data exfiltration through exploited authentication mechanisms.

Health Care / Life Sciences

Healthcare organizations must address HIPAA compliance gaps from collaboration suite vulnerabilities while protecting sensitive patient data from active exploitation campaigns.

Sources

CISA Adds Eight Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
Verified

CVE-2024-27199 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2024-27199

Verified

CVE-2024-32975 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2024-32975

Verified

Frequently Asked Questions

The vulnerabilities affect PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE Systems Management Appliance, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, exfiltrate data, and cause operational disruptions by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit these vulnerabilities would likely be constrained by enforcing strict segmentation and identity-aware policies, reducing the scope of unauthorized access.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely be constrained by enforcing least-privilege access controls, reducing the scope of potential privilege escalation.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally would likely be constrained by monitoring and controlling east-west traffic, reducing the reachability of additional systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained by providing comprehensive visibility and control across multicloud environments, reducing the scope of persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate data would likely be constrained by enforcing strict egress policies, reducing the reachability of external servers.

Impact (Mitigations)

The attacker's ability to cause operational disruptions would likely be constrained by reducing the blast radius of the attack, limiting the scope of affected systems and data.

Impact at a Glance

Affected Business Functions

Continuous Integration/Continuous Deployment (CI/CD) Pipelines
Software Development
IT Infrastructure Management

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of source code repositories and build artifacts.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
• Utilize Multicloud Visibility & Control solutions to detect and respond to anomalous activities across cloud environments.
• Apply Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Regularly update and patch enterprise management tools to mitigate known vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

CISA Adds Eight Exploited Vulnerabilities to KEV Catalog

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2024-27199

Affected Products:

Exploit Status:

References:

CVE-2024-32975

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Valid Accounts

Exploit Public-Facing Application

Command and Scripting Interpreter

Account Discovery

Unsecured Credentials

OS Credential Dumping

Application Layer Protocol

Data Destruction

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Government Administration

Information Technology/IT

Financial Services

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads