Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cisa-kev (33 articles)Clear

Over 10,500 Zimbra servers still vulnerable to actively-exploited XSS as CISA gives federal agencies just three days to patch (CVE-2025-48700)

Shadowserver scan data published Friday shows over 10,500 Zimbra Collaboration Suite instances still unpatched against CVE-2025-48700, a Classic-UI XSS that Synacor fixed in June 2025 but CISA only added to KEV on April 20. Exposed servers split nearly evenly between Asia (3,794) and Europe (3,793). The flaw triggers when a victim simply views a crafted email - no clicks - and runs JavaScript inside their authenticated session for mailbox theft and MFA backup-code retrieval. Zimbra is a recurring APT target: Russia's Winter Vivern, APT29, and APT28 have all run Zimbra-XSS campaigns against NATO and Ukrainian targets.

Check
If you run Zimbra anywhere - including subsidiaries, acquired companies, and overseas regional offices - confirm patch status against CVE-2025-48700 today.
Affected
Zimbra Collaboration Suite 8.8.15, 9.0, 10.0, and 10.1 without the June 2025 security patches. Exploitation requires a user to view a crafted email in the Classic UI; servers using only the Modern UI are not exposed via this specific flaw, but related issues are addressed by the same patch. CVSS 6.1.
Fix
Apply the June 2025 patches across all instances. Where immediate patching is impossible, switch users to the Modern UI as a stopgap and remove webmail from direct internet exposure. Audit the past 60 days of mailbox audit logs for unusual TGZ archive creation, MFA backup-code retrieval, application-password generation, and bulk address-book access. Rotate application passwords issued during the vulnerable window.

Federal patch deadline for 13-year-old Apache ActiveMQ flaw is Wednesday - 7,500+ servers still exposed online (CVE-2026-34197)

Federal agencies have until April 30 - this Wednesday - to patch Apache ActiveMQ servers against CVE-2026-34197, a remote code execution flaw that has been hiding in the open source message broker for 13 years. Shadowserver shows more than 7,500 ActiveMQ servers still exposed online and unpatched. The bug normally requires a login, but on ActiveMQ versions 6.0.0 through 6.1.1 a separate older flaw lets attackers skip the login step entirely - making this an unauthenticated remote takeover on those builds. The vulnerability was found using Anthropic's Claude AI assistant by a researcher at Horizon3.ai, who said the discovery was '80% Claude.'

Check
Inventory every Apache ActiveMQ server, including in subsidiary networks and old developer environments, and patch this week before the federal deadline.
Affected
Apache ActiveMQ Classic versions before 5.19.4 and 6.x versions before 6.2.3. CVSS 8.4. ActiveMQ 6.0.0 through 6.1.1 are at acute risk because a separate flaw (CVE-2024-32114) removes the login requirement entirely on those versions, making this an unauthenticated takeover. ActiveMQ Artemis is not affected.
Fix
Upgrade to ActiveMQ Classic 5.19.4 or 6.2.3 (ideally to 5.19.6 or 6.2.5). Change any default admin:admin credentials before exposing the broker again. Hunt broker logs for POSTs to /api/jolokia/ containing 'addNetworkConnector', for unexpected outbound HTTP from the Java process, and for unexpected child processes. Restrict the Jolokia API to internal networks only.

CISA adds actively-exploited Microsoft Defender 'BlueHammer' flaw to KEV as two sibling zero-days (RedSun, UnDefend) remain unpatched (CVE-2026-33825)

CISA added CVE-2026-33825 to its Known Exploited Vulnerabilities catalog on April 23 with a May 7 federal patch deadline. The flaw, nicknamed BlueHammer, is a race condition in Windows Defender's file-remediation logic that lets an unprivileged local attacker overwrite arbitrary files on disk and escalate to SYSTEM on fully-patched Windows 10 and Windows 11 hosts. It was patched in Microsoft's April 8 Patch Tuesday but a working proof-of-concept had already been published to GitHub by a researcher called 'Chaotic Eclipse' on April 7, before the fix shipped. Huntress Labs saw in-the-wild exploitation from April 10, with attackers also picking up two sibling Defender zero-days the same researcher leaked: RedSun (another local privilege escalation) and UnDefend (a denial-of-service that blocks Defender from pulling security definition updates, effectively disarming the EDR). Those two still have no Microsoft patch. The combination - a working privilege-escalation path plus an unpatched technique to silently cripple Defender itself - makes this a priority hunt, not just a priority patch.

Check
Verify that every Windows 10 and Windows 11 endpoint in your fleet has the April 2026 Patch Tuesday update installed and then hunt for the BlueHammer/RedSun/UnDefend technique patterns in your EDR telemetry.
Affected
Windows 10 and Windows 11 endpoints that have not installed the April 8, 2026 Patch Tuesday cumulative update. Note that patching closes BlueHammer (CVE-2026-33825) only - RedSun and UnDefend remain unpatched at time of writing, so patched hosts are still exposed to local privilege escalation via RedSun and to Defender disablement via UnDefend.
Fix
Deploy the April 2026 Patch Tuesday update (which addresses CVE-2026-33825) to every Windows endpoint and verify coverage against MDM or configuration-management inventory rather than trusting WSUS compliance alone. For the two unpatched sibling flaws, tighten EDR rules to alert on: anomalous file writes to Defender-controlled paths, unexpected changes to Defender signature update behavior, and any process attempting to stop or starve MsMpEng.exe. Treat any host where Defender has not received a signature update in over 48 hours as suspicious until proven otherwise. Review Huntress's public IoCs for the three techniques.

Over 1,300 SharePoint servers still exposed to ongoing spoofing attacks a week after Microsoft's patch (CVE-2026-32201)

Shadowserver data shows 1,300+ internet-exposed Microsoft SharePoint servers remain unpatched against CVE-2026-32201, a spoofing flaw Microsoft confirmed as a zero-day and CISA added to its Known Exploited Vulnerabilities catalog the same day the fix dropped in April Patch Tuesday. Fewer than 200 systems have been patched since the update shipped last week. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. An unauthenticated attacker can perform network spoofing through improper input validation in a low-complexity attack that needs no user interaction, letting them view sensitive information and modify data, though not affect availability. Microsoft has not described the exploitation technique or attributed the attacks to a specific group, which is unusual for a zero-day and hints at an ongoing investigation. CISA ordered federal agencies to patch by April 28 under Binding Operational Directive 22-01, and given ongoing in-the-wild abuse, private-sector operators should treat that as their own deadline. SharePoint's habit of holding cached Office 365 tokens, SharePoint-signed refresh tokens, and IP on sensitive business processes makes any compromise a serious lateral-movement foothold, not a minor information disclosure.

Check
Inventory every on-premises SharePoint instance in your environment (including dev and staging that may be exposed to the internet) and verify that the April 2026 Patch Tuesday update for CVE-2026-32201 is installed.
Affected
SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition (the 'continuous update' on-premises edition) without the April 2026 security update.
Fix
Install the April 2026 Patch Tuesday security updates for each affected SharePoint version. If a server cannot be patched immediately, pull it off the public internet and put it behind a VPN or Zero Trust gateway, and monitor authentication logs for unexpected token-generation patterns. After patching, audit the last 10 days of SharePoint auth logs and any connected Office 365 federated token issuance for anomalies, since the patch will not retroactively invalidate tokens minted during exploitation.

Cisco Catalyst SD-WAN Manager flaw added to CISA KEV with 4-day federal patch deadline - actively exploited (CVE-2026-20133)

CISA added a Cisco Catalyst SD-WAN Manager information disclosure flaw to its Known Exploited Vulnerabilities catalog on Monday, ordering federal agencies to patch by Friday, April 24 - an unusually aggressive 4-day deadline that reflects confirmed active exploitation. CVE-2026-20133 is an unauthenticated remote flaw in the SD-WAN Manager (formerly vManage) API, caused by insufficient file system access restrictions. An attacker can access the API and read sensitive information from the underlying operating system - including credentials that enable follow-on attacks. Cisco patched it in late February alongside two other SD-WAN Manager flaws (CVE-2026-20128 and CVE-2026-20122, both also added to KEV this week and confirmed exploited in the wild). Catalyst SD-WAN Manager is used to centrally manage up to 6,000 SD-WAN devices from one dashboard, making it a high-value target. Oddly, Cisco's PSIRT still says they have no evidence of public exploitation - contradicting CISA. CISA is treating its own intelligence as authoritative and has issued Emergency Directive 26-03 plus a Hunt & Hardening Guide for Cisco SD-WAN. Over the past several years CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six used by ransomware operations.

Check
If you run Cisco Catalyst SD-WAN Manager (or the old vManage), patch today. CISA's 4-day federal deadline is the clearest signal yet that exploitation is widespread.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) running versions prior to the February 2026 security update. Three CVEs are in play: CVE-2026-20133 (unauthenticated information disclosure, just added to KEV), CVE-2026-20128 (recoverable password storage), and CVE-2026-20122 (incorrect privileged API use). All three are confirmed exploited in the wild.
Fix
Apply Cisco's February 2026 security update for Catalyst SD-WAN Manager which fixes all three CVEs. If patching is delayed beyond April 24, follow CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices - restrict API access to trusted admin IPs only and review API access logs for unusual file-system-related requests over the past 60 days. Rotate any credentials stored on the SD-WAN Manager, as CVE-2026-20128 exposes them in recoverable format.

6,400 exposed Apache ActiveMQ servers still vulnerable to actively exploited CVE-2026-34197 - ShadowServer data shows Asia most impacted

Day-after follow-up to our April 18 coverage: Shadowserver has published telemetry showing 6,400+ Apache ActiveMQ servers exposed online are still vulnerable to CVE-2026-34197, the 13-year-old code injection flaw CISA added to KEV last week with an April 30 federal patch deadline. Geographic breakdown: Asia leads with 2,925 vulnerable servers, North America follows at 1,409, Europe at 1,334. Horizon3's Naveen Sunkavally (who discovered the flaw using the Claude AI assistant as his research tool) is urging admins to treat this as high priority, noting ActiveMQ has been a repeated target for real-world attackers - CVE-2016-3088 and CVE-2023-46604 are both on KEV, with the latter used as a zero-day by the TellYouThePass ransomware gang. The Apache maintainers patched the flaw on March 30 in ActiveMQ Classic 6.2.3 and 5.19.4. Horizon3 recommends searching broker logs for suspicious connections using the internal VM transport protocol with the brokerConfig=xbean:http:// query parameter as an indicator of exploitation.

Check
If you haven't patched ActiveMQ since March 30, check now. ShadowServer data shows thousands of exposed servers are still unpatched two weeks after the advisory.
Affected
Apache ActiveMQ Classic versions 5.x before 5.19.4, and 6.0.0 before 6.2.3, with the Jolokia JMX-HTTP bridge exposed via the web console at /api/jolokia/. ShadowServer identifies 6,400+ internet-exposed vulnerable instances as of April 20.
Fix
Upgrade to ActiveMQ Classic 5.19.4 or 6.2.3. For retroactive detection, search broker logs for connections using the internal VM transport protocol combined with the brokerConfig=xbean:http:// parameter - this pattern indicates an exploitation attempt regardless of success. If an exploit signature is found, treat the broker host as potentially compromised and rotate all credentials that passed through it.

Cisco Catalyst SD-WAN Manager users have until today to patch three actively-exploited flaws as CISA adds eight to the KEV catalog

CISA added eight actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with federal agencies required to patch three Cisco Catalyst SD-WAN Manager flaws by today, April 23, and the remaining five by May 4. The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) enable arbitrary file upload with vmanage user privileges, recovery of stored credentials for the DCA user, and unauthenticated disclosure of sensitive configuration data. Cisco confirmed exploitation of the first two in March 2026. The other five cover a wide blast radius: CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance letting attackers impersonate any user without credentials, exploited in the wild by unknown actors last month per Arctic Wolf. CVE-2023-27351 is the PaperCut NG/MF bypass that Microsoft's Lace Tempest chained into Cl0p and LockBit deployments back in 2023. CVE-2024-27199 is a path traversal in JetBrains TeamCity giving limited admin actions - its sibling CVE-2024-27198 is already on the KEV list. CVE-2025-48700 is a Zimbra XSS that the Ukrainian CERT attributes to UAC-0233/UAC-0250 for stealing mailbox contents, MFA backup codes, and application passwords. CVE-2025-2749 is a Kentico Xperience Staging Sync Server path traversal.

Check
Check your environment for any exposed or internal instances of Cisco Catalyst SD-WAN Manager, Quest KACE SMA, PaperCut NG/MF, JetBrains TeamCity, Zimbra Collaboration Suite, or Kentico Xperience and confirm patch status against the specific CVEs below.
Affected
Cisco Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133). Quest KACE SMA unpatched against CVE-2025-32975 (CVSS 10.0). PaperCut NG/MF against CVE-2023-27351. JetBrains TeamCity against CVE-2024-27199. Synacor Zimbra Collaboration Suite against CVE-2025-48700. Kentico Xperience against CVE-2025-2749.
Fix
Apply vendor-released patches for each product. Cisco SD-WAN Manager needs fixing by end of day April 23 to meet the CISA federal deadline - treat the same as a commercial deadline and patch today. The other five carry a May 4 CISA deadline. If you cannot patch immediately, remove affected products from direct internet exposure and monitor for the exploitation patterns each vendor describes. For Zimbra specifically, check mailbox audit logs for unusual TGZ archive creation and review MFA backup code usage.

13-year-old Apache ActiveMQ code injection flaw actively exploited - CISA gives federal agencies until April 30 to patch (CVE-2026-34197)

A critical code injection flaw in Apache ActiveMQ Classic has been under active exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on April 16 with a federal patch deadline of April 30. The flaw, tracked as CVE-2026-34197 (CVSS 8.8), has been 'hiding in plain sight' for 13 years according to Horizon3.ai researcher Naveen Sunkavally. The vulnerability is in the Jolokia JMX-HTTP bridge exposed at /api/jolokia/. An attacker can send crafted HTTP requests with a malicious discovery URI that forces the broker to load a remote Spring XML configuration. Because Spring initializes beans before validation, attackers execute arbitrary OS commands via Runtime.exec() - effectively turning a messaging broker into a remote command runner. Fortinet FortiGuard Labs telemetry shows exploitation attempts peaking on April 14, 2026. SAFE Security reports threat actors actively scanning for exposed Jolokia management endpoints.

Check
Inventory every ActiveMQ instance in your environment. If you don't know whether you run ActiveMQ, check with your dev team - it's embedded in many enterprise messaging pipelines and IoT data flows.
Affected
Apache ActiveMQ Classic versions 5.x before 5.19.4, and 6.0.0 before 6.2.3. The vulnerable component is the Jolokia JMX-HTTP bridge exposed via the web console at /api/jolokia/. Any internet-exposed ActiveMQ broker with default Jolokia configuration is at risk.
Fix
Upgrade to Apache ActiveMQ 5.19.4 or 6.2.3. If you cannot patch immediately: block external access to the /api/jolokia/ endpoint at your firewall or reverse proxy, restrict the Jolokia policy to specific MBeans only (not the default org.apache.activemq:* wildcard), and require authentication for all management operations. Check your access logs for HTTP requests to /api/jolokia/ with suspicious URI parameters over the past 30 days - exploitation requires only one successful request.

NIST stops enriching most new CVEs - only KEV-listed and federal-used software will get full NVD data going forward

NIST has announced major changes to how the National Vulnerability Database processes new CVEs, driven by a 263% surge in submissions that the agency can no longer keep up with. As of April 15, 2026, NIST will only provide full enrichment (CVSS scoring, CWE mapping, CPE identification) for CVEs that meet specific criteria: vulnerabilities in the CISA KEV catalog, those in software used by the federal government, and a small set of other priority categories. Everything else remains listed in the NVD but without the detailed metadata that security teams rely on for automated patch prioritization. Dustin Childs at ZDI noted during Patch Tuesday coverage that AI-driven vulnerability discovery has tripled his own triage volume. The same pressure is hitting NIST. Practical impact: vulnerability management tools, automated scanners, and patch prioritization workflows that depend on NVD enrichment data will have blind spots for the majority of new CVEs. Private vulnerability intelligence feeds (VulnCheck, Tenable, Qualys) become more important for anyone who relied on NVD as the single source of truth.

Check
Review how your vulnerability management program depends on NVD data. If your scanner or SIEM pulls CVSS scores and CPE data directly from NVD, many new CVEs will return incomplete results.
Affected
Any organization relying primarily on NVD as a vulnerability intelligence source. Automated patch prioritization tools, SIEM integrations, asset management platforms, and compliance reporting that map CVEs to systems via CPE identifiers will have coverage gaps for non-KEV, non-federal-priority CVEs.
Fix
Layer additional vulnerability intelligence sources on top of NVD. Consider subscribing to VulnCheck KEV (expanded exploitation data), CISA KEV directly (smaller but authoritative), or commercial feeds from Tenable, Qualys, or Rapid7. For patch prioritization, weight exploitation evidence (KEV listing, public PoC, threat intel reports) more heavily than CVSS scores alone - since many new CVEs won't have CVSS scores at all. Review your vulnerability SLAs - 'patch all criticals within N days' policies need rewording if criticality can't be automatically determined from NVD.

Google patches fourth Chrome zero-day of 2026 - WebGPU flaw exploited in the wild (CVE-2026-5281)

Google pushed an emergency Chrome update to fix a use-after-free bug in Dawn, the engine behind Chrome's WebGPU graphics standard. CVE-2026-5281 is already being exploited - an attacker who has compromised the browser's renderer process can use a crafted HTML page to execute arbitrary code, potentially escaping Chrome's sandbox. This is the fourth actively exploited Chrome zero-day in 2026, and the third targeting graphics or rendering subsystems. CISA added it to the KEV catalog with an April 15 deadline.

Check
Update Chrome immediately on all managed endpoints. Also check Edge, Brave, Opera, and Vivaldi - they share the same Chromium codebase.
Affected
Google Chrome prior to 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux). All Chromium-based browsers are affected.
Fix
Update Chrome to 146.0.7680.177/178. Verify auto-update is enabled and not blocked by group policy. Push updates via enterprise management tools. Apply Chromium-based browser patches from Microsoft, Brave, and others as they release.