The US cybersecurity agency CISA on Monday expanded its Known Exploited Vulnerabilities (KEV) catalog with eight more flaws, including three that have not previously been flagged as exploited.
The most recent of these is CVE-2026-20133, a high-severity information disclosure bug in Cisco Catalyst SD-WAN Manager that was patched in February.
Insufficient file system access restrictions could allow an attacker to access the API of an affected system and read information on the underlying operating system.
The CVE was disclosed in February alongside CVE-2026-20122 and CVE-2026-20128, two SD-WAN flaws that Cisco flagged as exploited in March. Now, CISA has added all three to the KEV list.
The agency also warned that two security defects disclosed last year in Kentico Xperience and Zimbra Collaboration Suite (ZCS), both leading to remote code execution (RCE), have been exploited in attacks.
Tracked as CVE-2025-2749, the Kentico bug is described as a path traversal and arbitrary file upload issue that could allow attackers to execute content on the server remotely.
The weakness exists because the Staging Sync Server of Kentico Xperience versions 13.0.178 and prior would upload arbitrary files to path-relative locations. Authentication is required for successful exploitation.
In March last year, WatchTowr explained that hackers could chain three flaws in Kentico, including an authenticated RCE issue, to compromise deployments. Two of the weaknesses, tracked as CVE-2025-2746 and CVE-2025-2747, were added to CISA’s KEV catalog in October.
The ZCS vulnerability that CISA added to KEV this week is CVE-2025-48700, an XSS bug in the Zimbra Classic UI that can be exploited to execute JavaScript code within the user’s session.
Rooted in the insufficient sanitization of HTML content, the flaw can be triggered when the user opens a crafted message in the Classic UI.
The other three flaws added to CISA’s KEV on Monday include CVE-2025-32975, a critical Quest KACE issue flagged as potentially exploited last month; CVE-2024-27199, a JetBrains TeamCity weakness exploited for over two years; and CVE-2023-27351, a PaperCut defect exploited since April 2023.
CISA urges federal agencies to patch the Cisco and Zimbra vulnerabilities by April 23, and the other four issues by May 4.
Related: Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers
Related: Recent Apache ActiveMQ Vulnerability Exploited in the Wild
Related: Cursor AI Vulnerability Exposed Developer Devices
Related: NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software
