The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added eight new entries to its Known Exploited Vulnerabilities (KEV) catalog, confirming that threat actors are actively abusing these flaws in real-world attacks. The update notably includes three vulnerabilities in Cisco Catalyst SD-WAN Manager, directly impacting large enterprises and service providers that rely on SD-WAN for business connectivity.
CISA Known Exploited Vulnerabilities Catalog: Why These Entries Matter
The CISA KEV catalog is a curated list of vulnerabilities for which exploitation “in the wild” has been verified. Inclusion in KEV signals that a weakness has moved beyond theoretical risk and is being used in active intrusion campaigns. For defenders, KEV is widely regarded as a de facto patching priority list.
The latest KEV update adds eight vulnerabilities, including:
- Three flaws in Cisco Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133);
- An additional vulnerability in JetBrains TeamCity for on‑premises deployments, complementing the previously listed CVE-2024-27198;
- CVE-2023-27351 in a widely used enterprise printing product, linked to the Lace Tempest threat group;
- CVE-2025-32975 in SMA (Secure Mobile Access) remote access solutions.
CISA has issued binding operational directives obligating U.S. federal civilian executive branch (FCEB) agencies to remediate these vulnerabilities within set deadlines, reflecting their criticality. Other organizations are strongly advised to treat these same dates as maximum acceptable timelines.
Exploited Cisco Catalyst SD-WAN Manager Vulnerabilities
Cisco Catalyst SD-WAN Manager is the centralized control plane for SD-WAN environments, coordinating connectivity across branch offices, plants and cloud workloads. A compromise of this management platform can enable attackers to alter routes, intercept or redirect traffic and pivot deeper into internal networks.
Cisco has acknowledged that in March 2026, adversaries began exploiting CVE-2026-20122 and CVE-2026-20128. While exploitation of CVE-2026-20133 has also been confirmed through its addition to KEV, Cisco’s advisory has not yet been updated to explicitly reflect active abuse of that CVE.
Due to the high impact on network integrity and confidentiality, CISA requires FCEB agencies to remediate the three Cisco SD-WAN Manager vulnerabilities by 23 April 2026. For commercial enterprises and critical infrastructure operators, this is a clear signal to urgently inventory all SD-WAN Manager instances, assess exposure and apply patches or mitigations without delay.
JetBrains TeamCity Vulnerabilities and Software Supply Chain Risk
The KEV catalog also now includes another flaw in JetBrains TeamCity on‑premises servers, on top of the previously listed critical vulnerability CVE-2024-27198. It remains unclear whether the newly added issue and CVE-2024-27198 are being chained in the same campaigns or exploited by the same threat actors.
CI/CD platforms such as TeamCity are particularly attractive targets because they orchestrate builds, tests and deployments. An attacker who compromises a CI/CD server can access source code, manipulate build pipelines and inject malicious components into software artifacts. This enables software supply chain attacks, where trojanized updates are distributed downstream to customers and partners, often with existing trust relationships and signed packages masking malicious changes.
CVE-2023-27351: Lace Tempest, Cl0p and LockBit Ransomware Activity
CVE-2023-27351, now incorporated into KEV, has previously been associated with operations by the Lace Tempest threat group. Security researchers have observed the vulnerability being leveraged in intrusion chains that delivered the Cl0p and LockBit ransomware families.
This pattern is consistent with the broader ransomware ecosystem: a widely deployed enterprise product is targeted with a reliable exploit, providing an initial foothold. Once inside, attackers exfiltrate data, disable defenses and deploy ransomware at scale. After proof‑of‑concept exploits become publicly available or integrated into offensive frameworks, organizations that have not patched face sharply elevated risk.
CVE-2025-32975: Attacks on SMA Remote Access Gateways
The vulnerability CVE-2025-32975 affects SMA (Secure Mobile Access) appliances, commonly used to provide encrypted remote access for employees, contractors and partners. According to incident observations reported by Arctic Wolf, unknown attackers have operationalized this bug and have been actively probing and exploiting unpatched SMA devices over the past month. The ultimate objectives of the campaign remain unclear.
Remote access and VPN infrastructure remain high‑value targets. Exploitation of a perimeter gateway can allow adversaries to bypass external defenses entirely, authenticate as legitimate users or create persistent tunnels into internal networks. Industry reporting over recent years has repeatedly highlighted compromised VPN and remote access systems as common entry points in major breaches.
Prioritizing Remediation: Practical Steps for Security Teams
The inclusion of a vulnerability in the CISA Known Exploited Vulnerabilities catalog should trigger immediate action. FCEB agencies must remediate the Cisco SD-WAN vulnerabilities by 23 April 2026 and the remaining KEV entries by 4 May 2026. Non‑federal organizations, including private sector and non‑U.S. entities, should align with or accelerate these timelines.
To reduce exposure and containment risk, organizations should:
- Inventory affected systems: Identify all Cisco Catalyst SD-WAN Manager instances, JetBrains TeamCity servers, printing solutions containing CVE-2023-27351 and SMA gateways, including shadow IT and test environments.
- Apply patches and firmware updates: Deploy vendor fixes as a top priority. Where patching is temporarily impossible, consider virtual patching, strict network access controls and temporary service isolation.
- Increase monitoring and detection: Intensify log collection and anomaly detection for SD-WAN controllers, CI/CD platforms and remote access appliances. Look for suspicious logins, configuration changes and data transfers.
- Review network segmentation: Ensure that SD-WAN controllers and VPN/SMA gateways are isolated and have only the minimum necessary access to internal assets, limiting blast radius in case of compromise.
- Operationalize KEV in vulnerability management: Incorporate the CISA KEV catalog into risk‑based patch management workflows, using KEV status as a key factor in prioritizing remediation.
The expansion of the CISA KEV catalog underscores a sustained attacker focus on network infrastructure, remote access paths and DevOps tooling as high‑leverage entry points. Organizations that systematically track KEV updates, rapidly remediate known exploited vulnerabilities and continuously harden monitoring and segmentation will be better positioned to withstand current and emerging campaigns. Now is an opportune moment to reassess critical systems, accelerate patching of actively exploited CVEs and reinforce the overall cyber resilience of the business.
