CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2026-20122

Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability

Vendor: Cisco

Product: Catalyst SD-WAN Manger

Added: 2026-04-20

Due Date: 2026-04-23

Description:

Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.

Required Action:

Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

CWEs:

CWE-648

CVE-2026-20133

Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability

Vendor: Cisco

Product: Catalyst SD-WAN Manager

Added: 2026-04-20

Due Date: 2026-04-23

Description:

Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.

Required Action:

Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

CWEs:

CWE-200

CVE-2025-2749

Kentico Xperience Path Traversal Vulnerability

Vendor: Kentico

Product: Kentico Xperience

Added: 2026-04-20

Due Date: 2026-05-04

Description:

Kentico Xperience contains a path traversal vulnerability that could allow an authenticated user's Staging Sync Server to upload arbitrary data to path relative locations.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-22 CWE-434

CVE-2023-27351

Ransomware

PaperCut NG/MF Improper Authentication Vulnerability

Vendor: PaperCut

Product: NG/MF

Added: 2026-04-20

Due Date: 2026-05-04

Description:

PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-287

CVE-2025-48700

Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

Vendor: Synacor

Product: Zimbra Collaboration Suite (ZCS)

Added: 2026-04-20

Due Date: 2026-04-23

Description:

Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-79

CVE-2026-20128

Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability

Vendor: Cisco

Product: Catalyst SD-WAN Manager

Added: 2026-04-20

Due Date: 2026-04-23

Description:

Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.

Required Action:

Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

CWEs:

CWE-257

CVE-2025-32975

Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability

Vendor: Quest

Product: KACE Systems Management Appliance (SMA)

Added: 2026-04-20

Due Date: 2026-05-04

Description:

Quest KACE Systems Management Appliance (SMA) contains an improper authentication vulnerability that could allow attackers to impersonate legitimate users without valid credentials.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-287

CVE-2024-27199

Ransomware

JetBrains TeamCity Relative Path Traversal Vulnerability

Vendor: JetBrains

Product: TeamCity

Added: 2026-04-20

Due Date: 2026-05-04

Description:

JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-23

CVE-2026-34197

Apache ActiveMQ Improper Input Validation Vulnerability

Vendor: Apache

Product: ActiveMQ

Added: 2026-04-16

Due Date: 2026-04-30

Description:

Apache ActiveMQ contains an improper input validation vulnerability that allows for code injection.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-20 CWE-94

CVE-2009-0238

Microsoft Office Remote Code Execution

Vendor: Microsoft

Product: Office

Added: 2026-04-14

Due Date: 2026-04-28

Description:

Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-94

CVE-2026-32201

Microsoft SharePoint Server Improper Input Validation Vulnerability

Vendor: Microsoft

Product: SharePoint Server

Added: 2026-04-14

Due Date: 2026-04-28

Description:

Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-20

CVE-2012-1854

Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability

Vendor: Microsoft

Product: Visual Basic for Applications (VBA)

Added: 2026-04-13

Due Date: 2026-04-27

Description:

Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-426

CVE-2025-60710

Microsoft Windows Link Following Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2026-04-13

Due Date: 2026-04-27

Description:

Microsoft Windows contains a link following vulnerability that allows for privilege escalation

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-59

CVE-2023-21529

Ransomware

Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability

Vendor: Microsoft

Product: Exchange Server

Added: 2026-04-13

Due Date: 2026-04-27

Description:

Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-502

CVE-2023-36424

Microsoft Windows Out-of-Bounds Read Vulnerability

Vendor: Microsoft

Product: Windows

Added: 2026-04-13

Due Date: 2026-04-27

Description:

Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-125