What Happened
CISA expanded its Known Exploited Vulnerabilities catalog with eight new additions on April 20 and 21, 2026, spanning six vendors. Three target Cisco Catalyst SD-WAN Manager: CVE-2026-20122 (incorrect privileged API use), CVE-2026-20128 (password stored in recoverable format), and CVE-2026-20133 (sensitive information exposure to unauthenticated remote attackers). All three allow attackers to extract sensitive system information without credentials. CISA separately confirmed CVE-2026-20133 as a new actively exploited flaw while Cisco’s PSIRT was still reviewing the claim at time of publication. Read the original CISA alert at CISA and the CVE-2026-20133 report at Help Net Security.
The other five additions include: CVE-2023-27351 (PaperCut NG/MF improper authentication, previously linked to Lace Tempest deploying Cl0p and LockBit), CVE-2024-27199 (JetBrains TeamCity relative path traversal), CVE-2025-2749 (Kentico Xperience path traversal), CVE-2025-32975 (Quest KACE SMA improper authentication), and CVE-2025-48700 (Zimbra Collaboration Suite cross-site scripting). Federal civilian agencies must patch the three Cisco flaws by April 23 and the remaining five by May 4.
Why This Matters for Canadian Organizations
Cisco Catalyst SD-WAN Manager is deployed broadly in Canadian enterprise, government, and telecommunications infrastructure. The three SD-WAN flaws allow attackers to extract sensitive configuration data without credentials — including network topology, recovered passwords, and privileged API outputs. For threat actors performing reconnaissance before a larger intrusion, these flaws hand over the keys to the network architecture. Cisco SD-WAN is present in federal departments, Crown corporations, and large private sector networks across the country.
PaperCut NG/MF is extensively deployed in Canadian schools, universities, hospitals, and government offices for print management. CVE-2023-27351 was previously weaponized by Lace Tempest to deliver Cl0p and LockBit ransomware against education and healthcare targets. Organizations running unpatched PaperCut should treat this as an active threat, not a backlog item.
JetBrains TeamCity deployments in Canadian DevOps environments also warrant attention. The TeamCity path traversal entry was previously exploited by state-linked actors to steal source code and inject backdoors into software build pipelines — a supply chain risk with broad downstream consequences for customers and partners.
What to Do
Run an immediate inventory of Cisco Catalyst SD-WAN Manager, PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, and Zimbra Collaboration Suite across your environment. Prioritize internet-exposed instances. For Cisco SD-WAN, apply vendor patches and audit access logs for unusual queries against sensitive configuration endpoints. For PaperCut, confirm version currency and check for signs of prior exploitation including unauthorized admin account creation. Treat the CISA April 23 deadline for Cisco flaws as applicable regardless of US federal scope — active exploitation evidence applies universally.
