Skip to main content
Emerging Threats

CISA Catalog Adds 8 Exploited Flaws

Cracked metal lock with eerie glow, code on smartphone and laptop screens in foreground.

What happens when a government catalog of actively exploited software flaws grows overnight? On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) answered that question by adding eight new entries to its Known Exploited Vulnerabilities (KEV) catalog — and by setting federal mitigation deadlines that span April and May 2026.

The additions: three Cisco flaws, PaperCut and five more

CISA added eight vulnerabilities to the KEV catalog, specifically flagging three flaws that affect Cisco Catalyst SD‑WAN Manager and citing evidence of active exploitation. Among the newly listed items is CVE‑2023‑27351, an improper authentication vulnerability in PaperCut with a CVSS score of 8.2.

The agency’s action updates the KEV list that federal agencies consult when prioritizing patching and mitigation. By moving these entries into the catalog, CISA is signaling that there is credible evidence adversaries have exploited these flaws in the wild.

What the federal deadlines mean

Alongside the KEV additions, CISA set federal deadlines in April and May 2026 for agencies to address the newly listed vulnerabilities. Those deadlines reflect the federal government’s mechanism for requiring agencies to mitigate or remediate vulnerabilities in the KEV catalog within prescribed timeframes.

For agencies, the combination of KEV inclusion and an explicit deadline creates a compliance imperative: the vulnerabilities are no longer advisory items but now tied to mandated action windows set by the agency.

Why this matters — multiple perspectives

  • Technologists: A KEV designation typically reprioritizes patching schedules and incident response plans. With a high-severity PaperCut issue (CVSS 8.2) and multiple Cisco SD‑WAN Manager flaws, defenders must quickly inventory affected assets, apply vendor fixes where available, and implement compensating controls where immediate patches are not possible.
  • Policymakers and federal managers: Deadlines in April–May 2026 translate into operational demands on agency cybersecurity teams and on contracting chains that support federal systems. Missing a KEV deadline can expose an agency to increased risk and to oversight questions about implementation and risk management.
  • End users and administrators: Organizations that run PaperCut or Cisco Catalyst SD‑WAN Manager should view the KEV additions as a red flag that exploitation is occurring. Administrators will need to validate whether their deployments are affected and take the prescribed mitigations promptly.
  • Adversaries: By publicly documenting exploited flaws and setting remediation deadlines, CISA increases the pressure on attackers to pivot to other targets, but it also shines a spotlight on affected products that remain unpatched in some environments — an incentive for continued exploitation until mitigations are broadly applied.

Next steps and the broader signal

CISA’s decision to add eight new exploited vulnerabilities and to attach April–May 2026 federal deadlines underscores two clear signals: first, that specific flaws — including a high‑severity PaperCut authentication issue and multiple Cisco SD‑WAN Manager bugs — are being used in real‑world attacks; and second, that the agency expects accelerated federal remediation in response.

For organizations inside and outside government, the practical steps are familiar: identify affected systems, apply vendor updates or mitigations, and document actions to meet compliance timelines. The KEV additions act as both an operational checklist and a public warning that exploitation is ongoing.

How quickly the private sector and federal agencies can close these gaps will determine whether the alarm raised by these KEV additions ends in meaningful risk reduction — or in more systems left exposed to attackers.

Original story