Katzilla
Katzilla
Workspace
← Archive
Cyber Threats Daily2026-04-21April 21, 2026

Cyber Threats Daily — 2026-04-21

TITLE: Cyber Threats Daily — Cisco SD-WAN Manager Emergency Directive 26-03; 7 New KEV Adds Due 23 APR

---

Top Priority: Cisco Catalyst SD-WAN Manager — Emergency Directive 26-03

CISA added three Cisco Catalyst SD-WAN Manager CVEs to KEV on 2026-04-20, all tied to Emergency Directive 26-03 with a hard remediation deadline of 2026-04-23 (48 hours from add). Federal civilian agencies must assess and mitigate immediately; private-sector SOCs should treat this as equivalent priority given the chained exploitation potential (unauth file upload → credential recovery → privileged API abuse).

  • CVE-2026-20122 — Incorrect use of privileged APIs; improper file handling on the API interface allows arbitrary file upload to the local FS. Likely initial access vector.
  • CVE-2026-20133 — Exposure of sensitive information to unauthorized actor; remote attackers can view sensitive data on affected systems.
  • CVE-2026-20128 — Storing passwords in a recoverable format; authenticated local attacker escalates to DCA user by reading a credential file as a low-priv user. Natural post-exploit pivot from CVE-2026-20122.

Action: Follow CISA's "Hunt & Hardening Guidance for Cisco SD-WAN Devices" and ED 26-03. Restrict management interface exposure, rotate DCA and any shared credentials on SD-WAN Manager hosts, pull forensic images before patching where possible, and hunt for anomalous file uploads, new admin accounts, and unexpected API calls on vManage/SD-WAN Manager nodes.

Note: The short description notes the vendor string "Catalyst SD-WAN Manger" (typo in CISA feed) for CVE-2026-20122 — same product as the others.

---

Other KEV Additions — 2026-04-20 (Due 2026-05-04 unless noted)

  • CVE-2025-48700 — Synacor Zimbra Collaboration Suite (ZCS) — Stored/reflected XSS enabling session-context JS execution. Due 2026-04-23 (expedited). Pair with prior CVE-2025-66376 (ZCS Classic UI CSS `@import` XSS, added 2026-03-18) — Zimbra remains an active targeting vector; prioritize patching and mail-gateway HTML sanitization.
  • CVE-2025-2749 — Kentico Xperience — Authenticated path traversal via Staging Sync Server, arbitrary file write to relative paths. Likely webshell delivery precursor. Due 2026-05-04.
  • CVE-2023-27351 — PaperCut NG/MF — Auth bypass via `SecurityRequestFilter`. Previously exploited by ransomware affiliates in 2023; re-listing suggests continued opportunistic exploitation. Due 2026-05-04.
  • CVE-2025-32975 — Quest KACE SMA — Improper authentication enabling user impersonation without valid credentials. High-value endpoint-management target. Due 2026-05-04.
  • CVE-2024-27199 — JetBrains TeamCity — Relative path traversal allowing limited admin actions. Build/CI-CD pivot risk. Due 2026-05-04.

---

Active Ransomware Use — Still Open for Many Agencies

CVE-2026-20131 — Cisco Secure FMC / SCC Firewall Management

Added 2026-03-19 with `knownRansomwareCampaignUse: Known`. Unauthenticated RCE as root via deserialization in the web management UI. Original due date 2026-03-22 has passed — any unpatched instance should be considered high-probability compromise. Hunt for anomalous Java process children, outbound C2 from FMC nodes, and unexpected policy modifications.

---

Recent Past-Due and Near-Due KEVs Worth Validating

Given the Cisco event pulling SOC attention, confirm these earlier items are actually remediated:

  • CVE-2026-34197 — Apache ActiveMQ (added 2026-04-16, due 2026-04-30) — Improper input validation → code injection. ActiveMQ remains a recurring ransomware initial-access target.
  • CVE-2026-32201 — Microsoft SharePoint Server (added 2026-04-14, due 2026-04-28) — Improper input validation / spoofing over network. Stack with older CVE-2026-20963 (SharePoint deserialization RCE, due 2026-03-21 — should already be closed).
  • CVE-2025-60710 — Windows Link Following (due 2026-04-27) — LPE primitive commonly chained post-initial access.
  • CVE-2023-36424 — Windows CLFS OOB Read (due 2026-04-27) — Another LPE in the heavily abused CLFS driver family.
  • CVE-2023-21529 — Exchange Server deserialization RCE (due 2026-04-27) — Authenticated RCE; validate ProxyNotShell-era mitigations and patch level.
  • CVE-2009-0238 — Microsoft Office Excel RCE (due 2026-04-28) — Yes, 2009. Legacy Office still being weaponized in phishing; confirm no unsupported Office installs remain.
  • CVE-2012-1854 — Microsoft VBA insecure library loading (due 2026-04-27) — DLL sideloading via Office docs.
  • CVE-2020-9715 — Adobe Acrobat UAF and CVE-2026-34621 — Acrobat/Reader prototype pollution (both due 2026-04-27) — PDF remains a dominant phishing payload; push Reader/Acrobat updates this cycle.
  • CVE-2026-21643 — Fortinet FortiClient EMS SQLi (unauth RCE via crafted HTTP; due 2026-04-16 — past due). Along with CVE-2026-35616 (FortiClient EMS improper access control, due 2026-04-09 — past due), these should be verified patched across all EMS deployments.
  • CVE-2026-1340 — Ivanti EPMM code injection (unauth RCE, due 2026-04-11 — past due). Ivanti EPMM continues its long streak of in-the-wild exploitation; if you still run it, assume prior compromise until proven otherwise.

---

Supply-Chain and Dev-Tooling Watch

  • CVE-2026-33634 — Aqua Security Trivy — Embedded malicious code exposing CI/CD secrets, cloud creds, SSH keys. Audit any CI runners that pulled Trivy in the affected window and rotate exposed tokens/keys.
  • CVE-2026-33017 — Langflow code injection (unauth build of public flows) and CVE-2025-68613 — n8n expression-evaluator RCE — Low-code/LLM-orchestration platforms continue to surface unauth RCE. Inventory shadow deployments; these are often stood up outside IT change control.
  • CVE-2026-3502 — TrueConf Client — Update integrity bypass enabling code substitution on the update channel. Restrict updater egress and pin update sources.

---

Browser / Endpoint

  • CVE-2026-5281 — Google Dawn UAF (due 2026-04-15 — past due) and CVE-2026-3910 (V8) / CVE-2026-3909 (Skia) (due 2026-03-27 — past due): Chromium-ecosystem RCE chain prerequisites. Ensure Chrome, Edge, Brave, and Electron apps are current.
  • Apple CVE-2025-43510 / -43520 / -31277 (due 2026-04-03 — past due): Kernel memory and buffer-overflow issues across iOS/macOS/watchOS/visionOS/tvOS. Verify MDM compliance reporting reflects patched builds.

---

SOC Priorities for Next 48 Hours

1. Cisco SD-WAN Manager: Execute ED 26-03 today. Credential rotation + hunt, not just patch.

2. Zimbra: Patch CVE-2025-48700 by 2026-04-23; review mail-store for XSS-delivered session hijack indicators.

3. Fortinet FortiClient EMS and Ivanti EPMM: Confirm past-due KEVs are truly closed; both are active ransomware pre-positioning targets.

4. Cisco FMC/SCC (CVE-2026-20131): Retro-hunt for compromise given confirmed ransomware use.

5. CI/CD hygiene: Trivy, Langflow, n8n inventory sweep and secret rotation where exposure is plausible.

— End of digest.

Cyber Threats Daily — 2026-04-21 · Cyber Threats Daily