7 min read \u00b7 April 23, 2026<\/p>\n
On April 20, 2026, the CISA (Cybersecurity and Infrastructure Security Agency) added eight vulnerabilities to its Known Exploited Vulnerabilities catalog. Three affect Cisco Catalyst SD-WAN Manager with a patch deadline of April 23. The remaining five vulnerabilities in PaperCut, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, and Synacor Zimbra have federal deadlines until May 4. For European security teams, this update is more than just a routine US administrative matter. In 2026, CISA deadlines are increasingly becoming a prioritization benchmark for DACH (Germany, Austria, Switzerland) CISOs, as the BSI (Federal Office for Information Security) does not set comparably strict deadlines.<\/strong><\/p>\n What is the CISA KEV Catalog?<\/strong> The KEV Catalog of the U.S. Cybersecurity and Infrastructure Security Agency is a curated list of vulnerabilities for which active exploitation is documented. Federal agencies of the Federal Civilian Executive Branch are required to patch listed vulnerabilities within a specified timeframe. The catalog also serves as a reference for security teams worldwide because inclusion means a vulnerability is no longer a theoretical risk but a real attack vector.<\/p>\n The April 20, 2026 update lists eight vulnerabilities. The Cisco Catalyst SD-WAN Manager family accounts for three of these: CVE-2026-20122 (CVSS 5.4, insecure API calls), CVE-2026-20128 (CVSS 7.5, password storage in recoverable form) and CVE-2026-20133 (CVSS 6.5, sensitive information). Together, these three form an escalation chain that becomes critical in unsegmented management networks. CISA has set the shorter deadline of April 23, 2026 for these.<\/p>\n The second category includes PaperCut NG\/MF (CVE-2023-27351, CVSS 8.2), JetBrains TeamCity (CVE-2024-27199), Kentico Xperience (CVE-2025-2749), Quest KACE SMA (CVE-2025-32975) and Synacor Zimbra Collaboration Suite (CVE-2025-48700). Notable is the mix of reactivated older vulnerabilities and newer bugs. We have covered the PaperCut issues in detail in a separate article. Synacor Zimbra also has the April 23 deadline, which increases the operational urgency for email platform operators.<\/p>\n Three observations shape this assessment. The first is the composition of the vendor mix. Cisco Catalyst SD-WAN Manager is actively deployed in many DACH corporations, particularly in cross-location networks with distributed office infrastructure. Zimbra Collaboration Suite operates in numerous university and government agency structures. PaperCut is found in nearly every medium-sized printing environment. Organizations using any of these systems should immediately check if the mentioned versions are affected.<\/p>\n The second observation is the connection to BSI advisories. The BSI (Federal Office for Information Security) has published several advance warnings regarding Cisco Catalyst topics in recent weeks, however without hard patch deadlines. CISOs in banks, insurance companies, and operators of KRITIS (critical infrastructure) facilities are increasingly using CISA deadlines as an internal prioritization proxy. Organizations that incorporate the CISA deadline as a forcing function for comparably exposed stacks in their internal escalation logic gain speed without excessive regulation.<\/p>\n The third observation is the lifecycle mix. The update combines a 2023 bug (PaperCut), a 2024 one (JetBrains), two 2025 ones (Kentico, Quest, Synacor), and three 2026 ones (Cisco). This is the reality of modern CVE worlds: Reactivizations occur because unpatched installations remain widespread. The PaperCut case<\/a> is exemplary. Organizations that don’t systematically establish SBOM discipline and patch routines fall behind every wave.<\/p>\n Two weeks are sufficient for a clean response when inventory, patch discipline, and detection layers work closely together. The following milestones have been consolidated from conversations with security operations leaders in mid-sized banks and industrial corporations.<\/p>\n Three lessons beyond the individual updates deserve attention. First: The KEV (Known Exploited Vulnerabilities) cadence is intensifying. CISA (Cybersecurity and Infrastructure Security Agency) is publishing updates more frequently with more vulnerabilities per update than in 2024. Security teams need a weekly routine slot for KEV assessment, not ad-hoc processing. Those who don’t do this systematically will be overwhelmed in the next quarter.<\/p>\n Second: SBOM (Software Bill of Materials) investments pay off measurably. Those who don’t have a complete software bill of materials for their applications cannot react to KEV updates within hours. Providers like Anchore, Snyk and Sysdig offer mature tools in 2026 that automate SBOM generation and KEV matching. The investment typically lies in the low to mid five-digit range per year and pays off with the first serious incident.<\/p>\n Third: Vendor consolidation is also a security lever. Those who operate three print server solutions, four SD-WAN (Software-Defined Wide Area Network) providers and two email platforms in parallel have a patch complexity that creates friction in every KEV wave. A conscious consolidation reduces not only license costs but also patch effort. This discussion belongs in the next IT strategy meeting, not in the security routine.<\/p>\n For CISOs and supervisory boards, the update results in a concrete action logic. The KEV line should be built into every quarterly reporting to the board in 2026. Number of open KEV vulnerabilities, time-to-patch compared to the CISA deadline, and compliance status per regulated industry are three robust KPIs. The ASP.NET Core discussion regarding DORA and NIS2<\/a> has exemplarily shown how closely the connection between individual CVEs (Common Vulnerabilities and Exposures) and regulatory reporting obligations has become. Those who translate the KEV movement into their own board briefing create clarity at the management level.<\/p>\n Three Cisco Catalyst SD-WAN Manager CVEs (2026-20122, -20128, -20133), PaperCut NG\/MF CVE-2023-27351, JetBrains TeamCity CVE-2024-27199, Kentico Xperience CVE-2025-2749, Quest KACE SMA CVE-2025-32975 and Synacor Zimbra CVE-2025-48700. The Cisco and Synacor vulnerabilities have the April 23 deadline, while the others have the May 4 deadline.<\/p>\n Not directly. CISA deadlines are mandatory for US federal agencies in the Federal Civilian Executive Branch. For German companies, they are a recommendation with high reference value. NIS2 (Network and Information Systems Directive 2) operators, KRITIS (critical infrastructure) operators and DORA (Digital Operational Resilience Act)-regulated entities increasingly use them as internal escalation proxies.<\/p>\n The KEV catalog exclusively documents vulnerabilities with active exploitation and sets hard patch deadlines for US federal agencies. The BSI (Federal Office for Information Security) publishes advisories with broader risk assessment, without mandatory patch deadlines for the private sector. Both systems complement each other, with the KEV catalog being operationally sharper.<\/p>\n At least weekly, ideally with automated notification via RSS or API. For critical updates like the one from April 20, an escalation routine that transfers the update to internal triage within 24 hours is worthwhile.<\/p>\n Classic vulnerability management tools like Tenable, Qualys and Rapid7 natively integrate KEV matching. Open-source alternatives like OpenVAS and Wazuh have KEV modules available. Those working with SBOM-based systems use Anchore, Snyk or Grype. The selection depends on the existing tool landscape.<\/p>\n Mid-sized companies without 24×7 SOCs have a harder time cleanly addressing all eight vulnerabilities within 14 days. Prioritization based on exposure and business criticality is all the more important. Those with a managed security partner should explicitly coordinate the response path with them.<\/p>\n PaperCut NG\/MF: 2023 Bug Back in CISA-KEV<\/a><\/p>\n ASP.NET Core CVE-2026-40372: DORA and NIS2 Compliance<\/a><\/p>\n Cisco Catalyst SD-WAN Manager: Three CVEs Under Attack<\/a><\/p>\n<\/div>\nKey Takeaways<\/h2>\n
\n
What’s Included in the Update<\/h2>\n
Why This Update Matters for DACH Security Teams<\/h2>\n
What Security Teams Should Do in the Next 14 Days<\/h3>\n
\n
What Doesn’t Work<\/h3>\n
\n
A 14-Day Response Plan for DACH Security Operations<\/h2>\n
What 2026 Structurally Learns from the KEV Waves<\/h2>\n
Frequently Asked Questions<\/h2>\n
Which eight vulnerabilities are specifically included in the April 20 update?<\/h3>\n
Are CISA deadlines also binding for German companies?<\/h3>\n
What distinguishes the KEV catalog from the BSI advisory system?<\/h3>\n
How often should a security team check for KEV updates?<\/h3>\n
Which tools are suitable for KEV monitoring?<\/h3>\n
What does this wave of vulnerabilities mean for mid-sized company security operations?<\/h3>\n
Editor’s Reading Recommendations<\/h2>\n