TL;DR

CISA’s Known Exploited Vulnerabilities (KEV) catalogue added another batch of flaws this week, which means attackers are already using them in real-world attacks, not just in lab demos. For Australian SMBs, the urgent priorities are internet-facing infrastructure, remote admin tools, print management, email platforms, and endpoint security software, with the practical patch deadline being now and no later than 27 April 2026 if you are following the same timetable CISA set for federal agencies.​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why this week’s KEV update matters to SMBs

The CISA KEV catalogue is one of the few vulnerability lists that cuts through the noise. If a CVE lands there, exploitation has already been observed in the wild. That matters for a 10-50 person business because most smaller teams do not have time to patch everything, but they do need to patch the things attackers are actively abusing.

This week’s KEV additions hit products that many mid-market and channel-heavy businesses actually run: Cisco SD-WAN infrastructure, Microsoft Defender, JetBrains TeamCity, Quest KACE, Zimbra Collaboration Suite, Kentico Xperience and PaperCut NG/MF. Even if you do not use every product on the list, the pattern is familiar: remote management, admin APIs, mail systems and business workflow tools are s

till prime entry points for ransomware and follow-on compromise.​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

For Australian SMB owners, the plain-English rule is simple: if the system helps staff log in, manage devices, print documents, run websites or move email, it is a business risk, not just an IT problem.

The most important KEV additions and what they mean in plain English

1. Cisco Catalyst SD-WAN Manager: three actively exploited flaws

CISA highlighted three Cisco SD-WAN bugs now being exploited in the wild:

  • CVE-2026-20122
  • CVE-2026-20128
  • CVE-2026-20133

Affected vendor: Cisco
Exploitation status: In the wild
Practical deadline: Patch immediately; use 27 April 2026 as the outside deadline from the current KEV cycle

In plain English, these flaws can let a low-privilege user read sensitive data, recover credentials, or overwrite files inside Cisco’s SD-WAN management environment. For an SMB with branch offices, managed networking, or a security provider using Cisco on its behalf, that can become a stepping stone to wider network access.

Why it matters: if your internet edge or WAN management plane is exposed, attackers may not need phishing at all. They can go straight for the system that connects your offices and cloud apps.

2. Microsoft Defender CVE-2026-33825: security software became part of the attack surface

CVE-2026-33825, nicknamed “BlueHammer”, affects Microsoft Defender.

Affected vendor: Microsoft
Exploitation status: In the wild, with proof-of-concept details also publicly discussed
Practical deadline: Patch immediately; if unmanaged endpoints still have the vulnerable build after 27 April 2026, assume elevated risk

This is a local privilege escalation flaw. In plain English, it means an attacker who already has a foothold on a Windows machine can use Defender’s own remediation logic to gain more control. That is especially dangerous for SMBs because it turns a minor compromise, such as a stolen user account or malware dropper, into an admin-level incident.

If your business relies on Microsoft 365 and Windows endpoints, this one matters even if the initial entry point was email, Teams, or a browser download. Defender is meant to contain damage; this bug can help expand it.

The SMB software stack risks hiding behind the headlines

3. JetBrains TeamCity and Quest KACE: tools admins forget, attackers do not

Recent KEV additions also include flaws affecting JetBrains TeamCity and Quest KACE Systems Management Appliance.

Affected vendors: JetBrains, Quest
Exploitation status: In the wild
Practical deadline: Patch or isolate immediately; do not leave exposed over a weekend

These are classic “quietly critical” systems. TeamCity can touch source code, credentials and deployment pipelines. KACE can manage endpoints and software across a whole estate. In plain English, if attackers compromise either tool, they can often move from one box to many.

For SMBs, this is common in IT consultancies, software shops, engineering firms and managed environments where a single admin console controls multiple client or staff devices.

4. Zimbra, Kentico and PaperCut: business apps that can turn into breach paths

This week’s KEV activity also covered Zimbra Collaboration Suite, Kentico Xperience and PaperCut NG/MF.

Affected vendors: Zimbra, Kentico, PaperCut
Exploitation status: In the wild
Practical deadline: Patch now; where no rapid patch path exists, restrict access and review logs today

These platforms are highly relevant to SMBs:

  • Zimbra handles business email and collaboration
  • Kentico powers websites and customer-facing content
  • PaperCut runs printing, scanning and document workflows in schools, clinics, legal offices and general business environments

In plain English, these bugs matter because they sit close to users and business data. A vulnerable mail platform can lead to account takeover. A vulnerable CMS can become a web shell. A vulnerable print server can become an internal launch point for lateral movement.

What about Microsoft 365, Google Workspace, NGINX, Fortinet, Ivanti, VMware and WordPress?

Not every SMB-familiar platform received a fresh KEV addition in the material reviewed this week, but that does not lower the risk. Fortinet and Microsoft products continue to appear regularly in KEV-driven patching discussions, and WordPress remains a live concern because actively exploited plugin bugs can be weaponised faster than many owners realise.

The practical recommendation is:

  • Microsoft 365 shops: patch Windows and Defender first, then review identity protections
  • Google Workspace shops: focus on third-party admin tools, browsers and endpoint agents
  • NGINX, VMware, Fortinet and Ivanti operators: review vendor advisories weekly even if this week’s KEV batch did not centre on your stack
  • WordPress sites: update core, plugins and themes, especially performance and caching plugins with file-upload or remote-fetch features

FAQ

It is CISA’s list of vulnerabilities known to be actively exploited in the wild. It is more actionable than a generic CVE feed because it filters for real-world attacker activity.

Yes. Attackers do not care whether the victim is in Washington or Wollongong. If a flaw is being exploited against one target set, Australian SMBs running the same software are exposed too.

Compensate fast: restrict internet exposure, disable vulnerable services where possible, enforce MFA, rotate privileged credentials and monitor logs for suspicious admin activity. Then patch at the earliest maintenance window, not next month’s cycle.

Weekly at minimum. For internet-facing systems, MSP-managed estates and businesses in legal, healthcare, finance or professional services, daily monitoring is better.

Conclusion

This week’s KEV additions reinforce an old lesson: attackers still win through known flaws in important business systems. If you run Cisco networking, Microsoft Defender, TeamCity, KACE, Zimbra, Kentico or PaperCut, treat these CVEs as immediate business risks and not routine maintenance.

Patch what is internet-facing first, then patch what can manage users, devices or data, and use 27 April 2026 as the hard line for this week’s urgent fixes. Visit consult.lil.business for a free cybersecurity assessment.

References

  1. CISA Known Exploited Vulnerabilities Catalog
  2. Cisco Security Advisories
  3. Microsoft Security Response Center Guidance
  4. JetBrains Security Bulletin
  5. Quest KACE Systems Management Appliance Security Advisories

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation