CISA Adds 8 Vulnerabilities to KEV Catalog: Cisco SD-WAN Flaws Highlight Federal Patching Deadlines for 2026

Breaking News: CISA Updates KEV Catalog with Eight Actively Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog, adding eight new vulnerabilities due to evidence of active exploitation. Among the most significant are three flaws affecting Cisco Catalyst SD-WAN Manager, alongside other critical vulnerabilities like CVE-2023-27351 in PaperCut (CVSS 8.2). CISA has set federal remediation deadlines for April-May 2026, requiring agencies to patch these vulnerabilities. This action reinforces CISA's authority under Binding Operational Directive (BOD) 22-01 and has immediate implications for federal cybersecurity compliance, including CMMC 2.0, FedRAMP, and SEC disclosure requirements.

Vulnerability Details: The Eight New KEV Entries

The newly added vulnerabilities represent a mix of network infrastructure and application security risks. While CISA's full announcement provides detailed technical descriptions, the inclusion of three Cisco Catalyst SD-WAN Manager flaws is particularly notable given the widespread adoption of SD-WAN in government and enterprise networks. These vulnerabilities could allow attackers to bypass authentication, execute arbitrary code, or gain elevated privileges on affected systems.

Key vulnerabilities added include:

• CVE-2023-27351 (PaperCut): Improper authentication vulnerability with a CVSS score of 8.2, indicating high severity and active exploitation in the wild.
• Cisco Catalyst SD-WAN Manager Flaws: Three separate vulnerabilities affecting this widely deployed network management platform, with exploitation evidence suggesting they are being used in targeted attacks.
• Additional Network and Application Vulnerabilities: Five other vulnerabilities across various vendors, all with documented evidence of active exploitation.

Organizations should verify the complete list through CISA's official KEV catalog, as the agency regularly updates entries based on evolving threat intelligence.

Compliance Implications: Federal Deadlines and Broader Mandates

Binding Operational Directive 22-01 and Federal Agency Requirements

CISA's KEV catalog carries significant regulatory weight through Binding Operational Directive 22-01, which requires federal civilian executive branch agencies to remediate catalogued vulnerabilities within specified timeframes. For these eight new entries, CISA has established deadlines in April-May 2026. This gives agencies approximately two years to identify affected systems, test patches, and implement remediation—a timeline that reflects the complexity of enterprise vulnerability management but also creates a clear compliance obligation.

Impact on Defense Contractors and CMMC 2.0 Compliance

For defense contractors subject to CMMC 2.0, KEV catalog vulnerabilities take on additional importance. The CMMC 2.0 final rule, published in October 2024 and effective December 2024, requires contractors handling Controlled Unclassified Information (CUI) to implement security practices aligned with NIST SP 800-171. This includes timely security patch management (NIST SP 800-171 Requirement 3.11.2). While CMMC 2.0 doesn't explicitly reference the KEV catalog, failure to patch known exploited vulnerabilities would likely constitute a failure to meet "timely" patch management requirements during assessments. Organizations pursuing Level 2 or Level 3 certification should prioritize KEV remediation as part of their vulnerability management programs.

Connections to FedRAMP, SEC Rules, and Critical Infrastructure

The KEV update also intersects with other major US cybersecurity mandates:

• FedRAMP: Cloud service providers serving federal agencies must address KEV catalog vulnerabilities as part of their continuous monitoring requirements under FedRAMP Rev 5.
• SEC Cybersecurity Disclosure Rules: Public companies must disclose material cybersecurity incidents within 4 business days on Form 8-K. Exploitation of KEV-listed vulnerabilities that leads to a material incident would trigger this disclosure requirement.
• CIRCIA: The Cyber Incident Reporting for Critical Infrastructure Act (2022) will require critical infrastructure entities to report significant cyber incidents to CISA within 72 hours. While the final rule is expected in 2025-2026, proactive vulnerability management aligns with CIRCIA's preventive intent.

This regulatory convergence means that even organizations outside the federal government should treat KEV catalog vulnerabilities with heightened priority, as they represent validated threats with regulatory implications across multiple frameworks.

Recommended Actions for Compliance Teams

1. Immediate Inventory and Assessment: Identify all systems in your environment that use affected products, particularly Cisco Catalyst SD-WAN Manager and PaperCut. This includes both federal agencies bound by BOD 22-01 and contractors/regulated entities that should align with federal standards.
2. Develop Remediation Plans by Q3 2025: While the federal deadlines are April-May 2026, organizations should aim to complete testing and planning by Q3 2025 to allow for implementation complexities and potential operational impacts.
3. Integrate KEV Monitoring into Vulnerability Management: Automate monitoring of CISA's KEV catalog updates through tools that can cross-reference your asset inventory with newly added CVEs. Continuous compliance monitoring platforms can connect directly to ERP and IT management systems to automate this correlation.
4. Document for Audit and Disclosure Purposes: Maintain detailed records of vulnerability identification, risk assessment, and remediation efforts. This documentation will be essential for CMMC 2.0 assessments, FedRAMP continuous monitoring, and potential SEC disclosures.
5. Consider Broader Threat Intelligence Integration: The KEV catalog represents one component of a comprehensive threat intelligence program. Organizations should also monitor other sources, including vendor advisories, industry ISACs, and platforms like AIGovHub's SENTINEL module that correlate geopolitical intelligence with technical vulnerabilities.

Future Outlook: Evolving Vulnerability Management Requirements

CISA's KEV catalog will continue to evolve as new exploitation evidence emerges. Organizations should expect:

• More Frequent Updates: As CISA matures its vulnerability management programs under CIRCIA implementation, KEV catalog updates may become more frequent and include shorter remediation timelines.
• Expanded Scope: While currently binding only for federal agencies, state governments and critical infrastructure entities may face increasing pressure to adopt KEV remediation timelines as part of broader cybersecurity harmonization efforts.
• Integration with AI/ML Security: As AI systems become more prevalent in federal IT environments, future KEV entries may include vulnerabilities in AI/ML frameworks and platforms, requiring specialized patching approaches.

For compliance professionals, the key takeaway is that vulnerability management is no longer solely a technical concern—it's a regulatory imperative with specific deadlines and audit implications. Tools that automate compliance monitoring and evidence collection, such as AIGovHub's CCM module with ERP connectors, can significantly reduce the manual burden of tracking KEV requirements across complex environments.

This content is for informational purposes only and does not constitute legal advice. Organizations should verify current CISA KEV catalog entries and consult with legal and compliance professionals regarding specific regulatory obligations.