Eight exploited KEV vulnerabilities require immediate parking

The US Agency for Infrastructure and Cybersecurity. US (CISA) has recently added eight vulnerabilities to its catalogue of Known Exploited Vulnerabilities (KEV), a clear sign that there are failures that are already being exploited or for which there is evidence of abuse in real environments. This inclusion requires managers and security officials to prioritize parking and mitigation: when CISA marks a problem as "with known exploitation," the risk is no longer theoretical and becomes urgent.

Among the added vulnerabilities are problems that affect highly used solutions in companies, from printers and collaboration services to network management and orchestration platforms. These include, for example, an authentication failure in PaperCut NG / MF (CVE-2023-27351) that has historically been used in Ransomware campaigns, and several weaknesses in JetBrains TeamCity and Kentico Xperience that allow handling of limited routes or administrative actions. There are also three failures in Cisco Catalyst SD-WAN Manager that, combined, can allow from overwriting of files in the system to exposure of credentials or sensitive information.

The presence of a CVE with maximum score (10.0) related to Quest KACE Systems Management Application (CVE-2025-32975) deserves special attention: an authentication failure that would allow an attacker to plant users without valid credentials represents a direct way to compromise managed environments. In fact, detection and response providers have documented exploitative attempts against unpatched SMA application, which underlines the need to review and implement updates as soon as possible. You can consult general information about manufacturers' advisories on official portals such as Quest's: support.quest.com.

In certain cases there are already powers and traces of past campaigns. The exploitation of the PaperCut failure (CVE-2023-27351) was linked in 2023 to an actor called Lace Temper, related to the distribution of Ransomware families such as Cl0p and LockBit; this shows how vulnerability in an apparently peripheral service - such as printing management - can become the gateway to high-impact incidents. To better understand the context of such campaigns and their sophistication, it is useful to review the analysis and follow-up of the activity by cyber security firms and specialized media such as BleepingComputer.

With regard to Cisco, the company confirmed that it had a record of exploitation in real environments of at least two of the reported failures in the SD-WAN manager (CVE-2026-20122 and CVE-2026-20128), while for another (CVE-2026-20133) there was still no explicit recognition of widespread abuse at the time of notification of CISA. Since the three defects affect the same platform and allow different ways of raising privileges and sensitive information, the recommendation is to treat them together: apply official patches and review configurations, credentials and accesses. Cisco's general advisories page is a good starting point: cisco.com / security-advisories.

In addition to the patches, organizations should strengthen complementary controls: network segmentation to limit the scope of operation, audit of access and privileges to detect anomalous accounts, and monitoring of integrity in critical systems to alert suspicious overwriting. There is no single "cure" for these problems; it is a question of combining updates, detection controls and good operational practices to reduce risk while the corrections are being implemented.

The dates that CISA has set for the correction of these judgements are peremptory for the civil federal agencies: the three vulnerabilities of Cisco must be remedied by April 23, 2026, and the rest by May 4, 2026. Although these deadlines apply directly to federal government units, they are a useful indicator for the private sector of the priority to be given to them: when the regulator sets a strict timetable, it is because the threat is real and close.

It is also not appropriate to lose sight of the wider chain: when a vulnerability in a managed product or an application is exploited - as Arctic Wolf has observed in campaigns against SMA without patching - the impact can be spread through poorly verified updates, management systems and patching tools. Maintain detailed asset inventories and quickly check which versions are in use is as critical as applying patches. To follow campaign and detection analysis, the blogs of security and response providers can provide early information on tactics and detections: arcticwolf.com / blog.

If you are responsible for safety in a company, act in this order: identify if you are exposed, assess the risk based on use and access to the equipment concerned, apply the official updates of the suppliers and, in the meantime, tighten access and monitoring controls. Also keep communication channels open with your suppliers and check the official advisories pages of each manufacturer to confirm specific mitigation instructions; central reference sites are the manufacturers' safety portals and the CISA list itself: Known Exploited Vulnerabilities Catalog.

In short, the entry of these eight vulnerabilities into the KEV is not just a record update: it is a reminder that the threat landscape is still active and that the window between the disclosure of a failure and its exploitation can be very short. The combination of patches, visibility and basic controls of cyberhygiene is the best defense against these threats, and the priority must be real and measured in days, not weeks.