Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-23April 23, 2026

Cyber Threats Daily — 2026-04-23

TITLE: KEV Surge: Cisco SD-WAN Emergency Directive, Microsoft Defender EoP, and PaperCut Back in Play — 2026-04-23

---

Executive Summary

CISA's KEV catalog absorbed a heavy batch over the past two weeks, headlined by a Cisco Catalyst SD-WAN Manager cluster (3 CVEs) under Emergency Directive 26-03 with remediation deadlines hitting today, 2026-04-23. A fresh Microsoft Defender EoP (CVE-2026-33825) landed yesterday, and PaperCut NG/MF (CVE-2023-27351) is back on the radar with confirmed ransomware usage. Federal civilian agencies and regulated enterprises should treat the SD-WAN, Defender, and PaperCut items as priority-one.

No source reported FETCH FAILED this run.

---

Priority 1 — Active Exploitation / Emergency Directives

Cisco Catalyst SD-WAN Manager — ED 26-03 (Due TODAY, 2026-04-23)

Three KEV additions on 2026-04-20, all governed by Emergency Directive 26-03 and CISA's "Hunt & Hardening Guidance for Cisco SD-WAN Devices":

  • CVE-2026-20122 — Incorrect Use of Privileged APIs. Malicious file upload via the API interface; exploit chain leads to elevated actions on the appliance.
  • CVE-2026-20128 — Credentials stored in recoverable format. Local, authenticated low-priv attacker can escalate to DCA user by reading a credential file.
  • CVE-2026-20133 — Exposure of sensitive information to unauthorized actors over the network.

SOC action: If you haven't already, execute the ED 26-03 hunt playbook tonight — review `/opt/web-app` upload artifacts, pull DCA credential file ACLs, and check for anomalous API POSTs. Deadline is non-negotiable for FCEB; enterprises should mirror.

Microsoft Defender — CVE-2026-33825 (Added 2026-04-22, due 2026-05-06)

Insufficient granularity of access control enabling local privilege escalation by an authorized attacker. Ransomware use: Unknown, but Defender-resident EoPs historically get weaponized quickly post-disclosure. Push the latest platform/engine updates via your management plane; verify `MpCmdRun` version and tamper protection state across the fleet.

PaperCut NG/MF — CVE-2023-27351 (Added 2026-04-20, due 2026-05-04)

Authentication bypass via the `SecurityRequestFilter` class. Known ransomware usage. This is a re-surfacing of a 2023 bug now observed in fresh campaigns. Inventory PaperCut instances — especially internet-exposed print portals — confirm patch level (≥22.0.9/20.1.7/21.2.11), and hunt for suspicious admin user creations and child processes of `pc-app.exe`/`java`.

JetBrains TeamCity — CVE-2024-27199 (Added 2026-04-20, due 2026-05-04)

Relative path traversal enabling limited admin actions. Known ransomware usage. Often chained with CVE-2024-27198. If your CI/CD is internet-facing, patch and rotate agent tokens.

---

Priority 2 — Recent KEV Additions

Enterprise Software

  • CVE-2025-2749 — Kentico Xperience path traversal via Staging Sync Server; authenticated upload-to-arbitrary-path. Due 2026-05-04.
  • CVE-2025-32975 — Quest KACE SMA improper authentication; attacker impersonation without creds. Due 2026-05-04.
  • CVE-2025-48700 — Zimbra ZCS stored XSS; session hijack potential. Due TODAY, 2026-04-23.
  • CVE-2026-34197 — Apache ActiveMQ improper input validation → code injection. Due 2026-04-30. Review broker exposure and upgrade promptly; ActiveMQ remains a ransomware favorite.

Microsoft Patch Tuesday Fallout (Added 2026-04-13/14)

Batch of Microsoft KEV entries with due date 2026-04-27/28 — patch if not already done:

  • CVE-2026-32201 — SharePoint Server improper input validation (spoofing over network).
  • CVE-2023-21529 — Exchange Server deserialization RCE (authenticated). Known ransomware usage.
  • CVE-2025-60710 — Windows link-following → privilege escalation.
  • CVE-2023-36424 — Windows CLFS out-of-bounds read → EoP.
  • CVE-2012-1854 — VBA insecure library loading → RCE (legacy; check legacy Office estates).
  • CVE-2009-0238 — Excel malformed-object RCE (legacy; audit macro-enabled docs in ingress channels).

Adobe

  • CVE-2026-34621 — Acrobat/Reader prototype pollution → arbitrary code execution. Due 2026-04-27.
  • CVE-2020-9715 — Adobe Acrobat use-after-free → code execution. Due 2026-04-27.

---

Priority 3 — Notable Overdue Items (Deadline Already Passed)

These are past due for FCEB; private-sector SOCs should verify closure:

  • CVE-2026-20131 — Cisco Secure FMC / SCC unauth deserialization RCE as root via web mgmt UI. Known ransomware usage. Due 2026-03-22.
  • CVE-2026-21643 / CVE-2026-35616 — Fortinet FortiClient EMS (SQLi and improper access control). Due 2026-04-16 / 2026-04-09.
  • CVE-2026-1340 — Ivanti EPMM unauth RCE via code injection. Due 2026-04-11.
  • CVE-2026-3055 — Citrix NetScaler SAML IdP OOB read. Due 2026-04-02.
  • CVE-2025-53521 — F5 BIG-IP APM stack overflow RCE. Due 2026-03-30.
  • CVE-2026-20963 — Microsoft SharePoint deserialization RCE. Due 2026-03-21.

If any of these remain unpatched in your estate, treat as an active incident precursor — generate exposure reports and initiate hunts for prior compromise.

---

Supply Chain & DevOps Watchlist

  • CVE-2026-33634 — Aqua Security Trivy embedded malicious code. CI/CD secret exfiltration risk. If Trivy is running in pipelines, rotate any secrets that were in scope during the affected window.
  • CVE-2026-33017 — Langflow code injection allowing public flows without auth.
  • CVE-2025-68613 — n8n workflow expression RCE.
  • CVE-2025-54068 — Laravel Livewire unauth RCE in specific routing scenarios.
  • CVE-2025-32432 — Craft CMS unauth RCE.
  • CVE-2026-3502 — TrueConf Client unverified update payloads; MITM-to-RCE.

AI/low-code tools (Langflow, n8n) continue trending into KEV — confirm these aren't shadow-deployed on dev servers with cloud credentials mounted.

---

Browser / Endpoint Chromium Cluster

  • CVE-2026-5281 — Google Dawn UAF (Chrome, Edge, others).
  • CVE-2026-3910 — Chromium V8 OOB memory access.
  • CVE-2026-3909 — Skia OOB write (Chrome, ChromeOS, Android, Flutter).

Push browser updates via MDM; these typically precede targeted exploitation of news-site watering holes and phishing lures.

---

Apple Ecosystem (Added 2026-03-20, due 2026-04-03 — should be closed)

  • CVE-2025-43510 improper locking (shared memory).
  • CVE-2025-43520 classic buffer overflow (kernel).
  • CVE-2025-31277 WebKit buffer overflow.

Verify iOS/iPadOS/macOS/watchOS/visionOS/tvOS are on current trains across MDM.

---

Recommended Actions — Next 24 Hours

1. Close out today's deadlines: Cisco SD-WAN ED 26-03 (CVE-2026-20122/20128/20133) and Zimbra XSS (CVE-2025-48700).

2. Schedule Defender update verification (CVE-2026-33825) before 2026-05-06.

3. PaperCut hunt — given confirmed ransomware use, assume compromise on any unpatched internet-facing instance and run retrospective log review back to 2026-03-01.

4. Overdue audit — generate a KEV-past-due report and escalate Cisco FMC, Fortinet EMS, Ivanti EPMM, Citrix NetScaler, and F5 BIG-IP findings to leadership.

5. Supply-chain review — validate Trivy installation hashes and rotate any pipeline secrets if the malicious versions were pulled.

---

*Digest compiled from CISA KEV catalog additions as of 2026-04-23. No other sources returned data this run.*