Am I affected by CVE-2026-20122?

Cisco Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133). Quest KACE SMA unpatched against CVE-2025-32975 (CVSS 10.0). PaperCut NG/MF against CVE-2023-27351. JetBrains TeamCity against CVE-2024-27199. Synacor Zimbra Collaboration Suite against CVE-2025-48700. Kentico Xperience against CVE-2025-2749.

How do I fix CVE-2026-20122?

Apply vendor-released patches for each product. Cisco SD-WAN Manager needs fixing by end of day April 23 to meet the CISA federal deadline - treat the same as a commercial deadline and patch today. The other five carry a May 4 CISA deadline. If you cannot patch immediately, remove affected products from direct internet exposure and monitor for the exploitation patterns each vendor describes. For Zimbra specifically, check mailbox audit logs for unusual TGZ archive creation and review MFA backup code usage.

Cisco Catalyst SD-WAN Manager users have until today to patch three actively-exploited flaws as CISA adds eight to the KEV catalog

vulnerability

CVE-2026-20122 CVE-2026-20128 CVE-2026-20133 CVE-2025-32975 CVE-2023-27351 CVE-2024-27199 CVE-2025-48700 CVE-2025-2749

2026-04-21

Cisco Catalyst SD-WAN Manager users have until today to patch three actively-exploited flaws as CISA adds eight to the KEV catalog

CISA added eight actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with federal agencies required to patch three Cisco Catalyst SD-WAN Manager flaws by today, April 23, and the remaining five by May 4. The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) enable arbitrary file upload with vmanage user privileges, recovery of stored credentials for the DCA user, and unauthenticated disclosure of sensitive configuration data. Cisco confirmed exploitation of the first two in March 2026. The other five cover a wide blast radius: CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance letting attackers impersonate any user without credentials, exploited in the wild by unknown actors last month per Arctic Wolf. CVE-2023-27351 is the PaperCut NG/MF bypass that Microsoft's Lace Tempest chained into Cl0p and LockBit deployments back in 2023. CVE-2024-27199 is a path traversal in JetBrains TeamCity giving limited admin actions - its sibling CVE-2024-27198 is already on the KEV list. CVE-2025-48700 is a Zimbra XSS that the Ukrainian CERT attributes to UAC-0233/UAC-0250 for stealing mailbox contents, MFA backup codes, and application passwords. CVE-2025-2749 is a Kentico Xperience Staging Sync Server path traversal.

Check: Check your environment for any exposed or internal instances of Cisco Catalyst SD-WAN Manager, Quest KACE SMA, PaperCut NG/MF, JetBrains TeamCity, Zimbra Collaboration Suite, or Kentico Xperience and confirm patch status against the specific CVEs below.
Affected: Cisco Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133). Quest KACE SMA unpatched against CVE-2025-32975 (CVSS 10.0). PaperCut NG/MF against CVE-2023-27351. JetBrains TeamCity against CVE-2024-27199. Synacor Zimbra Collaboration Suite against CVE-2025-48700. Kentico Xperience against CVE-2025-2749.
Fix: Apply vendor-released patches for each product. Cisco SD-WAN Manager needs fixing by end of day April 23 to meet the CISA federal deadline - treat the same as a commercial deadline and patch today. The other five carry a May 4 CISA deadline. If you cannot patch immediately, remove affected products from direct internet exposure and monitor for the exploitation patterns each vendor describes. For Zimbra specifically, check mailbox audit logs for unusual TGZ archive creation and review MFA backup code usage.