Jordan Polasek Β· Founder, BVTech LLC Β· April 26, 2026 Β· 10 min read
A busy week at CISA. Two KEV updates in one workweek added twelve vulnerabilities β eight on Monday April 20, four more on Friday April 24. The Monday batch is dominated by three Cisco Catalyst SD-WAN Manager flaws with a three-day federal patch deadline; the Friday batch is the SimpleHelp / Samsung MagicINFO mess that ransomware crews have been quietly running for months.
If you run Cisco Catalyst SD-WAN Manager, PaperCut NG/MF, JetBrains TeamCity, Quest KACE SMA, Zimbra Collaboration, Samsung MagicINFO, SimpleHelp, or D-Link DIR-823X β this week is for you. Federal patch deadlines for the Cisco trio were April 23. For everything else, May 4 to May 15.
Twelve flaws is too many to walk through one-by-one with the depth they deserve, so I am going to group them and tell you what the threat actors are actually doing with each cluster.
CVEs: 2026-20122, 2026-20128, 2026-20133 Β· CISA KEV added: April 20, 2026 Β· Federal patch deadline: April 23, 2026
Three vulnerabilities in Cisco Catalyst SD-WAN Manager, all critical, all added the same day, with the shortest federal deadline I have seen in recent memory β three days. CVE-2026-20122 is incorrect use of privileged APIs. CVE-2026-20128 is storing passwords in a recoverable format. CVE-2026-20133 is exposure of sensitive information to an unauthorized actor. Chain them and an unauthenticated attacker can pull credentials, escalate, and pivot through whatever SD-WAN fabric the box is managing.
Cisco SD-WAN Manager is not common in 5-person Texas businesses, but it is the standard for multi-site retail, healthcare networks, and managed service providers serving regional chains. If you operate twelve locations and lean on SD-WAN to glue them together, you almost certainly run this stack.
Curiously, Cisco itself had not flagged CVE-2026-20133 as exploited at the time CISA added it β which suggests CISA has source intelligence Cisco does not. That is the kind of detail worth paying attention to.
What to do:
The other five in the Monday dump are the more relevant ones for typical Texas SMBs.
CVE-2023-27351 (PaperCut NG/MF, CVSS 8.2) is an improper authentication flaw that has been exploited in the wild since early 2023 by Lace Tempest β the Clop ransomware affiliate. If you run PaperCut for print management in a school, law firm, or medical office, you are a textbook Lace Tempest target.
CVE-2024-27199 (JetBrains TeamCity, CVSS 7.3) is a path traversal allowing limited admin actions. TeamCity is a build server; once an attacker has admin actions on a build server, they can plant code in your software supply chain. Specifically dangerous if you have any home-grown software.
CVE-2025-2749 (Kentico Xperience), CVE-2025-32975 (Quest KACE SMA), CVE-2025-48700 (Zimbra Collaboration XSS) β Kentico is an enterprise CMS; KACE is endpoint management; Zimbra is alternative email. All three have credible exploitation signals and federal deadlines of May 4.
For Texas businesses, the practical guidance is to inventory what you actually run. Most of you do not run any of these. If you do β patch by May 4 and check logs.
CVE-2024-57726 and CVE-2024-57728 (SimpleHelp) are an authorization-missing flaw and a path traversal, respectively. SimpleHelp is a remote-support tool β think TeamViewer alternative. The Akira ransomware crew has been chaining these two against managed service providers since January 2025, using a compromised MSP\βs SimpleHelp instance as the initial access into the MSP\βs downstream client environments. If you use SimpleHelp anywhere in your stack, patch now.
CVE-2024-7399 (Samsung MagicINFO 9 Server) is a path traversal in Samsung\βs digital signage management server. Digital signage might sound like a trivial target, but MagicINFO instances are often connected to corporate networks for content distribution. A compromised signage server is a foothold like any other.
CVE-2025-29635 (D-Link DIR-823X) is a command injection in a consumer/SOHO router. If anyone in your business is still running a D-Link DIR-823X β replace the router. End-of-life consumer routers should never sit in front of a business network.
PaperCut. JetBrains. SimpleHelp. SD-WAN Manager. KACE. Every product on this week\βs KEV list is a tool that an organization installed specifically because it makes administration easier. Print servers, build servers, remote-support tools, endpoint-management appliances. They are all positioned at exactly the chokepoints attackers love.
I tell my clients this regularly: the things that make a network easy to administer are usually the same things that make it easy to attack. The fix is not to stop using these tools. The fix is to put them behind authentication you actually trust β MFA, IP allowlisting, network segmentation β and to keep them patched on the same cadence you patch your operating systems.
For BVTech-managed clients, we maintain a written inventory of every server, appliance, and SaaS product in scope. When CISA KEV publishes a new entry, we check that inventory the same day. If anything matches, the client gets a phone call before the federal deadline expires. For most Texas SMBs this is the difference between "we patched it Tuesday" and "we are paying a ransom Friday."
If you do not have that kind of inventory written down right now β and most small businesses do not β that is the single most valuable thing BVTech can build for you in a thirty-day engagement.
Call BVTech at (210) 538-3669 or email [email protected]. The first conversation is always free; the inventory pays for itself the first time we save you from a CISA KEV deadline.
β Jordan Polasek is the Founder and Managing Partner of BVTech LLC, a Texas-based managed IT services provider. He holds AWS and 1Password certifications, the Certified Polysomnographic Technologist credential (CPSGT #294), and won the SuperOps Solo MSP of the Year Award in 2023. Connect with Jordan on LinkedIn or at jordanpolasek.com.
EN
ES