THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities (KEV) catalog, listing eight CVEs with details including CVE-2026-20133, CVE-2023-27351, CVE-2024-27199, CVE-2025-2749, CVE-2025-32975, CVE-2025-48700, CVE-2026-20122 and CVE-2026-20128.
Among these, PaperCut NG/MF’s CVE-2023-27351 and JetBrains TeamCity’s CVE-2024-27199 have been described as having been rapidly weaponised, with the TeamCity flaw enabling access to sensitive configuration files and, in some cases, backdoors on build servers. The article notes that several of the flaws have already been exploited in real‑world attacks, including ransomware campaigns, and highlights that CVE-2025-32975 affects Quest KACE SMA and CVE-2025-48700 affects Synacor ZCS.
It also references CISA’s directive, according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, requiring agencies to address these flaws by specific deadlines in 2026, with private organisations urged to patch promptly.