CISA Added 13 Vulnerabilities to KEV in Five Days. Microsoft Defender, Cisco SD-WAN, and Six More Are Being Exploited Right Now.

Between Monday April 20 and Friday April 24, CISA added 13 vulnerabilities to the Known Exploited Vulnerabilities catalog. That is a high-cadence week. The federal patching deadlines are now stacked between April 23 and May 4. If you are a US federal agency, the calendar is already past due on some of these. If you are everyone else, the active-exploitation flag is the part that matters and the vendor names tell the story.

Here is the full list, in the order CISA published them.

April 20 — eight added in a single bundle. CVE-2026-20122 Cisco Catalyst SD-WAN Manager incorrect use of privileged APIs. CVE-2026-20128 Cisco Catalyst SD-WAN Manager storing passwords in a recoverable format. CVE-2026-20133 Cisco Catalyst SD-WAN Manager exposure of sensitive information. Three Cisco Catalyst SD-WAN Manager vulnerabilities in one drop. CVE-2024-27199 JetBrains TeamCity relative path traversal. CVE-2025-2749 Kentico Xperience path traversal. CVE-2025-32975 Quest KACE Systems Management Appliance improper authentication. CVE-2025-48700 Synacor Zimbra Collaboration Suite cross-site scripting. CVE-2023-27351 PaperCut NG/MF improper authentication, which has been a known-bad since 2023 and is apparently still finding new victims.

April 22 — one added. CVE-2026-33825 Microsoft Defender insufficient granularity of access control. Active exploitation. Microsoft Defender. The endpoint product on roughly a billion machines.

April 24 — four added. CVE-2024-7399 Samsung MagicINFO 9 Server path traversal. CVE-2024-57726 SimpleHelp missing authorization. CVE-2024-57728 SimpleHelp path traversal. CVE-2025-29635 D-Link DIR-823X command injection.

That is the inventory. Now the analysis.

The Cisco Catalyst SD-WAN Manager triple-add is the biggest story in the bundle and we have been tracking it. Cisco SD-WAN Manager is the orchestration plane for branch network connectivity at thousands of enterprises, banks, and federal agencies. Three concurrent vulnerabilities in the orchestration plane — privileged API misuse, recoverable password storage, sensitive information exposure — is not three random bugs. That is a credibility signal. We covered Cisco's worst week in cybersecurity history on April 3, then the Cisco-paid follow-up on April 4, and the Cisco FMC PoC webshell post a few weeks before that. CISA confirming three more Cisco vulnerabilities under active exploitation extends a pattern.

The Defender CVE-2026-33825 is the second story. Microsoft Defender being added to CISA KEV is not routine. Defender is not Office or Edge — it is the security stack itself. We have been writing about Defender zero-days, two of which are still unpatched in the wild as of April 18, and CISA has now confirmed at least one Defender access-control bug has live exploitation. Insufficient granularity of access control is a polite way of saying the trust boundaries inside the product do not work the way the documentation says they do. If your detection-and-response stack is built around Defender alone, you should be calling your Microsoft account manager and asking what isolation you have in the meantime.

The four April 24 entries are the long tail. Samsung MagicINFO 9 Server is the digital signage management product running at airports, hospitals, retail chains. Path traversal. SimpleHelp is a remote support tool used by IT teams and managed service providers — both an authorization bypass and a path traversal in the same product, both being weaponized. D-Link DIR-823X is consumer-grade routing, but consumer-grade router compromises in 2026 mean botnet recruits, and botnet recruits mean DDoS-for-hire infrastructure tomorrow. Three of those four CVEs are 2024 vintage. Old vulnerabilities, fresh exploitation. Patch lag is a recurring theme in this catalog.

What this week tells you about the threat landscape. First, vendors that own the orchestration plane — Cisco SD-WAN, Microsoft Defender, SimpleHelp — are taking direct hits. The attackers are climbing the privilege ladder by going after the systems that manage other systems. Second, old CVEs are being weaponized fresh because the patch cadence at small and mid-size organizations is still measured in quarters. Third, federal deadlines are short — April 23 and May 4 — but the private sector has no equivalent forcing function. If your organization runs JetBrains TeamCity, PaperCut, or Zimbra and you do not have the April 20 patches deployed, you are operating outside the federal-mandated security posture.

Our STIX feed has all 13 of these CVEs flagged with the CISA KEV tag, the active-exploitation marker, and the vendor name. If you want them in your SIEM by Monday morning, the URL is below. The OPNsense IP and Suricata feeds are also already updated. If you are a federal agency that missed the April 23 deadline, that is a different conversation; talk to your CISA point of contact.

Sources: CISA Adds Eight Known Exploited Vulnerabilities April 20, CISA Adds One April 22, CISA Adds Four April 24, The Hacker News KEV roundup, GBHackers Cisco Catalyst alert, CyberThrone analysis.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com