Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-22April 22, 2026

Cyber Threats Daily — 2026-04-22

TITLE: Cisco SD-WAN Manager Under ED 26-03 — KEV Surge Adds 40 CVEs; Remediation Deadlines Hit This Week

---

Top Priority: Cisco Catalyst SD-WAN Manager — Emergency Directive 26-03

CISA added three Cisco Catalyst SD-WAN Manager CVEs to KEV on 2026-04-20 with an accelerated due date of 2026-04-23 (tomorrow). Federal civilian agencies are directed to CISA Emergency Directive 26-03 and the accompanying "Hunt & Hardening Guidance for Cisco SD-WAN Devices." Treat as active exploitation.

  • CVE-2026-20122 — Incorrect use of privileged APIs; malicious file upload via API interface on affected systems.
  • CVE-2026-20133 — Exposure of sensitive information to unauthorized actors; remote unauthenticated data disclosure.
  • CVE-2026-20128 — Passwords stored in recoverable format; local authenticated attacker escalates to DCA user privileges via credential file on filesystem.

SOC actions

  • Inventory all SD-WAN Manager instances (on-prem and cloud-hosted); validate exposure of the management/API plane to untrusted networks.
  • Execute CISA's Hunt & Hardening playbook: review API audit logs for unexpected file uploads, look for new/modified files in writable web paths, examine DCA credential file access by non-privileged users.
  • Rotate DCA and all local credentials post-patch; assume cleartext-equivalent material has been recoverable.
  • Apply Cisco's fixed releases immediately; if unpatched, isolate management interfaces behind jump hosts and restrict to known admin IPs.

---

Other KEV Additions with Due Dates This Week

Due 2026-04-23

  • CVE-2025-48700 — Synacor Zimbra Collaboration Suite (ZCS) stored XSS. Attacker-supplied JavaScript executes in user session; credential and mailbox compromise risk. Patch ZCS and review webmail audit logs.

Due 2026-04-27 (Microsoft Patch Tuesday cluster, added 2026-04-13)

  • CVE-2023-21529 — Microsoft Exchange Server deserialization of untrusted data → authenticated RCE. Known ransomware use. Prioritize hybrid Exchange and any remaining on-prem deployments.
  • CVE-2025-60710 — Windows link-following → local privilege escalation.
  • CVE-2023-36424 — Windows Common Log File System Driver OOB read → LPE.
  • CVE-2012-1854 — Microsoft VBA insecure library loading → RCE (legacy addition; hunt for Office installs lacking 2012-era rollups).
  • CVE-2020-9715 — Adobe Acrobat use-after-free → code execution.
  • CVE-2026-34621 — Adobe Acrobat and Reader prototype pollution → arbitrary code execution.

Due 2026-04-28

  • CVE-2009-0238 — Microsoft Office Excel malformed-object RCE. Very old CVE back on KEV — likely fresh in-the-wild observations against unpatched legacy Office. Confirm Office baseline and block legacy Excel (.xls) at mail gateways where feasible.
  • CVE-2026-32201 — Microsoft SharePoint Server improper input validation → spoofing over network.

Due 2026-04-30

  • CVE-2026-34197 — Apache ActiveMQ improper input validation → code injection. Apache ActiveMQ remains a recurring ransomware target; patch, then validate no webshells/new brokers.

---

KEV Additions Due 2026-05-04 (added 2026-04-20)

  • CVE-2023-27351 — PaperCut NG/MF authentication bypass via SecurityRequestFilter. Known ransomware use. Confirm PaperCut is at fixed build; this CVE has been weaponized repeatedly — assume internet-exposed unpatched servers are compromised.
  • CVE-2024-27199 — JetBrains TeamCity relative path traversal (limited admin actions). Known ransomware use. Patch TeamCity; audit build agents and service accounts.
  • CVE-2025-2749 — Kentico Xperience path traversal via authenticated Staging Sync Server → arbitrary data upload.
  • CVE-2025-32975 — Quest KACE SMA improper authentication → user impersonation without valid credentials. High blast radius given KACE's endpoint management role; patch urgently and hunt for anomalous admin logons.

---

Already-Overdue KEV Items (verify remediation status)

The following entries carried due dates that have already elapsed. If not remediated, they represent BOD 22-01 noncompliance and active exposure:

  • CVE-2026-21643 — Fortinet FortiClient EMS SQLi, unauthenticated RCE (due 2026-04-16).
  • CVE-2026-35616 — Fortinet FortiClient EMS improper access control, unauthenticated code execution (due 2026-04-09).
  • CVE-2026-1340 — Ivanti EPMM code injection, unauthenticated RCE (due 2026-04-11).
  • CVE-2026-3502 — TrueConf Client update without integrity check → supply-chain RCE (due 2026-04-16).
  • CVE-2026-5281 — Google Dawn use-after-free affecting Chromium-based browsers (due 2026-04-15).
  • CVE-2026-3055 — Citrix NetScaler ADC/Gateway SAML IdP OOB read (due 2026-04-02).
  • CVE-2025-53521 — F5 BIG-IP APM stack buffer overflow → RCE (due 2026-03-30).
  • CVE-2026-33634 — Aquasecurity Trivy embedded malicious code → CI/CD secrets compromise (due 2026-04-09). Rotate all CI/CD tokens, SSH keys, and cloud credentials if a tainted Trivy version ran in pipelines.
  • CVE-2026-33017 — Langflow code injection, unauth public-flow build (due 2026-04-08).
  • CVE-2025-32432 — Craft CMS code injection → RCE (due 2026-04-03).
  • CVE-2025-54068 — Laravel Livewire code injection → unauth RCE (due 2026-04-03).
  • CVE-2025-43510 / CVE-2025-43520 / CVE-2025-31277 — Apple multi-product memory-corruption trio across iOS/macOS/watchOS/visionOS/tvOS (due 2026-04-03).
  • CVE-2026-20131 — Cisco Secure FMC / SCC Firewall Management deserialization → unauthenticated RCE as root. Known ransomware use. Due 2026-03-22 — if still unpatched, assume breach and initiate IR.
  • CVE-2025-66376 — Zimbra ZCS Classic UI XSS via CSS `@import` (due 2026-04-01).
  • CVE-2026-20963 — Microsoft SharePoint deserialization → unauth code execution (due 2026-03-21).
  • CVE-2025-47813 — Wing FTP Server info disclosure via long UID cookie (due 2026-03-30).
  • CVE-2026-3910 / CVE-2026-3909 — Chromium V8 / Skia memory-corruption bugs (due 2026-03-27).
  • CVE-2025-68613 — n8n expression-engine RCE (due 2026-03-25).
  • CVE-2021-22054 — Omnissa (VMware) Workspace ONE UEM unauth SSRF (due 2026-03-23).
  • CVE-2025-26399 — SolarWinds Web Help Desk AjaxProxy deserialization → command execution (due 2026-03-12).

---

Detection & Hardening Priorities This Week

1. Cisco SD-WAN Manager — ED 26-03 compliance by EOD 2026-04-23; hunt per CISA guidance even on patched hosts.

2. Exchange on-prem (CVE-2023-21529) and Cisco FMC/SCC (CVE-2026-20131) — both flagged for ransomware tradecraft and RCE; verify patch and pivot to IR if lagging.

3. PaperCut (CVE-2023-27351) and TeamCity (CVE-2024-27199) — recurrent ransomware targets; confirm builds and audit external exposure.

4. FortiClient EMS and Ivanti EPMM — overdue KEVs with unauth RCE; if unpatched, treat as presumed compromise.

5. Trivy supply-chain (CVE-2026-33634) — audit scanner versions across pipelines and rotate CI/CD secrets where a tainted release was used.

Stay patched, stay paranoid.