CISA added eight actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on April 20, with federal agencies required to patch three Cisco Catalyst SD-WAN Manager flaws by today, April 23, and the remaining five by May 4. The Cisco trio (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) enable arbitrary file upload with vmanage user privileges, recovery of stored credentials for the DCA user, and unauthenticated disclosure of sensitive configuration data. Cisco confirmed exploitation of the first two in March 2026. The other five cover a wide blast radius: CVE-2025-32975 is a CVSS 10.0 authentication bypass in Quest KACE Systems Management Appliance letting attackers impersonate any user without credentials, exploited in the wild by unknown actors last month per Arctic Wolf. CVE-2023-27351 is the PaperCut NG/MF bypass that Microsoft's Lace Tempest chained into Cl0p and LockBit deployments back in 2023. CVE-2024-27199 is a path traversal in JetBrains TeamCity giving limited admin actions - its sibling CVE-2024-27198 is already on the KEV list. CVE-2025-48700 is a Zimbra XSS that the Ukrainian CERT attributes to UAC-0233/UAC-0250 for stealing mailbox contents, MFA backup codes, and application passwords. CVE-2025-2749 is a Kentico Xperience Staging Sync Server path traversal.
Cisco has patched four critical vulnerabilities this week across Webex and Identity Services Engine (ISE). The standout flaw is CVE-2026-20184 in Cisco Webex Services with SSO integration via Control Hub - it allows an unauthenticated remote attacker to impersonate any user in the service due to incorrect certificate validation in the SSO flow. This is particularly dangerous for organizations using Webex with SAML and centralized identity management. Alongside it: CVE-2026-20180 and CVE-2026-20186 (both CVSS 9.9) affect Cisco ISE and ISE Passive Identity Connector, allowing authenticated attackers with even read-only admin credentials to execute arbitrary commands on the underlying OS and escalate to root. CVE-2026-20147 is a path traversal flaw in the same products. ISE versions before 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches are all affected. No workarounds - only software updates fix these. In single-node ISE deployments, exploitation can also knock the node offline, blocking network access for unauthenticated endpoints.
Cisco patched a CVSS 9.8 authentication bypass in its Integrated Management Controller - the hardware-level management system built into Cisco UCS servers. An attacker sends one crafted HTTP request to the password change function and can reset any user's password, including Admin, without any credentials. Because IMC operates below the operating system on a dedicated baseboard controller with its own IP address, traditional endpoint security tools can't detect or stop it. The flaw affects dozens of Cisco product lines including APIC servers, Secure Firewall Management Center, and Cyber Vision appliances.
The TeamPCP supply chain campaign has claimed its biggest victim yet. Attackers used credentials stolen from the Trivy vulnerability scanner compromise to breach Cisco's internal development environment, stealing source code belonging to both Cisco and its customers. Multiple AWS keys were also taken and used for unauthorized activity across Cisco's cloud accounts. The company expects continued fallout from the follow-on LiteLLM and Checkmarx compromises in the same campaign.