CISA Expands KEV Catalog with Eight Vulnerabilities: Overview of Federal Agency Deadlines April 23 and May 4

Q: What does this wave of vulnerabilities mean for mid-sized company security operations?

Mid-sized companies without 24x7 SOCs have a harder time cleanly addressing all eight vulnerabilities within 14 days. Prioritization based on exposure and business criticality is all the more important. Those with a managed security partner should explicitly coordinate the response path with them.

7 min read · April 23, 2026

On April 20, 2026, the CISA (Cybersecurity and Infrastructure Security Agency) added eight vulnerabilities to its Known Exploited Vulnerabilities catalog. Three affect Cisco Catalyst SD-WAN Manager with a patch deadline of April 23. The remaining five vulnerabilities in PaperCut, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, and Synacor Zimbra have federal deadlines until May 4. For European security teams, this update is more than just a routine US administrative matter. In 2026, CISA deadlines are increasingly becoming a prioritization benchmark for DACH (Germany, Austria, Switzerland) CISOs, as the BSI (Federal Office for Information Security) does not set comparably strict deadlines.

Key Takeaways

CISA KEV update from April 20, 2026 with eight vulnerabilities, patch deadlines on April 23 and May 4, 2026.
Three Cisco Catalyst SD-WAN Manager CVEs (2026-20122, -20128, -20133) plus PaperCut, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra.
Synacor Zimbra Collaboration Suite and Cisco Catalyst vulnerabilities have the shorter deadline until April 23. The other five vulnerabilities until May 4.
European security teams use CISA deadlines as a prioritization proxy, because BSI (Federal Office for Information Security) advisories rarely contain hard patch dates.
The update shows the typical 2026 mix: a new vendor stack (Cisco SD-WAN), re-activations of old vulnerabilities (PaperCut, JetBrains) and niche products (Kentico, KACE).

What’s Included in the Update

What is the CISA KEV Catalog? The KEV Catalog of the U.S. Cybersecurity and Infrastructure Security Agency is a curated list of vulnerabilities for which active exploitation is documented. Federal agencies of the Federal Civilian Executive Branch are required to patch listed vulnerabilities within a specified timeframe. The catalog also serves as a reference for security teams worldwide because inclusion means a vulnerability is no longer a theoretical risk but a real attack vector.

The April 20, 2026 update lists eight vulnerabilities. The Cisco Catalyst SD-WAN Manager family accounts for three of these: CVE-2026-20122 (CVSS 5.4, insecure API calls), CVE-2026-20128 (CVSS 7.5, password storage in recoverable form) and CVE-2026-20133 (CVSS 6.5, sensitive information). Together, these three form an escalation chain that becomes critical in unsegmented management networks. CISA has set the shorter deadline of April 23, 2026 for these.

The second category includes PaperCut NG/MF (CVE-2023-27351, CVSS 8.2), JetBrains TeamCity (CVE-2024-27199), Kentico Xperience (CVE-2025-2749), Quest KACE SMA (CVE-2025-32975) and Synacor Zimbra Collaboration Suite (CVE-2025-48700). Notable is the mix of reactivated older vulnerabilities and newer bugs. We have covered the PaperCut issues in detail in a separate article. Synacor Zimbra also has the April 23 deadline, which increases the operational urgency for email platform operators.

8 CVEs

in the KEV update of April 20, 2026

April 23

Deadline for Cisco Catalyst and Synacor Zimbra

May 4

Deadline for the remaining five vulnerabilities

Why This Update Matters for DACH Security Teams

Three observations shape this assessment. The first is the composition of the vendor mix. Cisco Catalyst SD-WAN Manager is actively deployed in many DACH corporations, particularly in cross-location networks with distributed office infrastructure. Zimbra Collaboration Suite operates in numerous university and government agency structures. PaperCut is found in nearly every medium-sized printing environment. Organizations using any of these systems should immediately check if the mentioned versions are affected.

The second observation is the connection to BSI advisories. The BSI (Federal Office for Information Security) has published several advance warnings regarding Cisco Catalyst topics in recent weeks, however without hard patch deadlines. CISOs in banks, insurance companies, and operators of KRITIS (critical infrastructure) facilities are increasingly using CISA deadlines as an internal prioritization proxy. Organizations that incorporate the CISA deadline as a forcing function for comparably exposed stacks in their internal escalation logic gain speed without excessive regulation.

The third observation is the lifecycle mix. The update combines a 2023 bug (PaperCut), a 2024 one (JetBrains), two 2025 ones (Kentico, Quest, Synacor), and three 2026 ones (Cisco). This is the reality of modern CVE worlds: Reactivizations occur because unpatched installations remain widespread. The PaperCut case is exemplary. Organizations that don’t systematically establish SBOM discipline and patch routines fall behind every wave.

What Security Teams Should Do in the Next 14 Days

Inventory: Which of the eight vendor stacks are running in-house, and in which versions?
Prioritize based on exposure (internally vs. externally accessible) and business criticality
Patch rollout for Cisco Catalyst SD-WAN and Synacor Zimbra with highest urgency
Enable detection rules for the KEV vulnerabilities in SIEM and EDR systems

What Doesn’t Work

Treating patches as purely an IT task without compliance oversight
Relying on “we’re not in the US, so we’re not affected”
Patches without audit trail and documentation for internal review
Relying on BSI advisories without your own KEV monitoring

A 14-Day Response Plan for DACH Security Operations

Two weeks are sufficient for a clean response when inventory, patch discipline, and detection layers work closely together. The following milestones have been consolidated from conversations with security operations leaders in mid-sized banks and industrial corporations.

Day 1-2

Inventory. Which of the eight vendor stacks are running in-house? SBOM evaluation, asset database scan, consultation with technical administrators. Result: Mapping per vendor with version number.

Day 3

Triage. Prioritization by risk classes. Cisco Catalyst and Synacor Zimbra at the top due to the April 23 deadline. PaperCut and JetBrains in the second wave.

Day 4-7

Patch rollout of critical stacks. Patching Cisco Catalyst SD-WAN Manager, Synacor Zimbra. Test validation in staging, then productive rollout with audit trail.

Day 8-11

Patch rollout of second wave. Patching PaperCut, JetBrains, Kentico, Quest KACE. Activate detection rules in SIEM.

Day 12-14

Forensic review and reporting. Check logs from the last 30 days for anomalies. Status report to CISO, Compliance, and potentially regulatory authorities.

What 2026 Structurally Learns from the KEV Waves

Three lessons beyond the individual updates deserve attention. First: The KEV (Known Exploited Vulnerabilities) cadence is intensifying. CISA (Cybersecurity and Infrastructure Security Agency) is publishing updates more frequently with more vulnerabilities per update than in 2024. Security teams need a weekly routine slot for KEV assessment, not ad-hoc processing. Those who don’t do this systematically will be overwhelmed in the next quarter.

Second: SBOM (Software Bill of Materials) investments pay off measurably. Those who don’t have a complete software bill of materials for their applications cannot react to KEV updates within hours. Providers like Anchore, Snyk and Sysdig offer mature tools in 2026 that automate SBOM generation and KEV matching. The investment typically lies in the low to mid five-digit range per year and pays off with the first serious incident.

Third: Vendor consolidation is also a security lever. Those who operate three print server solutions, four SD-WAN (Software-Defined Wide Area Network) providers and two email platforms in parallel have a patch complexity that creates friction in every KEV wave. A conscious consolidation reduces not only license costs but also patch effort. This discussion belongs in the next IT strategy meeting, not in the security routine.

For CISOs and supervisory boards, the update results in a concrete action logic. The KEV line should be built into every quarterly reporting to the board in 2026. Number of open KEV vulnerabilities, time-to-patch compared to the CISA deadline, and compliance status per regulated industry are three robust KPIs. The ASP.NET Core discussion regarding DORA and NIS2 has exemplarily shown how closely the connection between individual CVEs (Common Vulnerabilities and Exposures) and regulatory reporting obligations has become. Those who translate the KEV movement into their own board briefing create clarity at the management level.

Frequently Asked Questions

Which eight vulnerabilities are specifically included in the April 20 update?

Three Cisco Catalyst SD-WAN Manager CVEs (2026-20122, -20128, -20133), PaperCut NG/MF CVE-2023-27351, JetBrains TeamCity CVE-2024-27199, Kentico Xperience CVE-2025-2749, Quest KACE SMA CVE-2025-32975 and Synacor Zimbra CVE-2025-48700. The Cisco and Synacor vulnerabilities have the April 23 deadline, while the others have the May 4 deadline.

Are CISA deadlines also binding for German companies?

Not directly. CISA deadlines are mandatory for US federal agencies in the Federal Civilian Executive Branch. For German companies, they are a recommendation with high reference value. NIS2 (Network and Information Systems Directive 2) operators, KRITIS (critical infrastructure) operators and DORA (Digital Operational Resilience Act)-regulated entities increasingly use them as internal escalation proxies.

What distinguishes the KEV catalog from the BSI advisory system?

The KEV catalog exclusively documents vulnerabilities with active exploitation and sets hard patch deadlines for US federal agencies. The BSI (Federal Office for Information Security) publishes advisories with broader risk assessment, without mandatory patch deadlines for the private sector. Both systems complement each other, with the KEV catalog being operationally sharper.

How often should a security team check for KEV updates?

At least weekly, ideally with automated notification via RSS or API. For critical updates like the one from April 20, an escalation routine that transfers the update to internal triage within 24 hours is worthwhile.

Which tools are suitable for KEV monitoring?

Classic vulnerability management tools like Tenable, Qualys and Rapid7 natively integrate KEV matching. Open-source alternatives like OpenVAS and Wazuh have KEV modules available. Those working with SBOM-based systems use Anchore, Snyk or Grype. The selection depends on the existing tool landscape.

What does this wave of vulnerabilities mean for mid-sized company security operations?

Mid-sized companies without 24×7 SOCs have a harder time cleanly addressing all eight vulnerabilities within 14 days. Prioritization based on exposure and business criticality is all the more important. Those with a managed security partner should explicitly coordinate the response path with them.