Attacks on Cisco SD-WAN, Zimbra, TeamCity, PaperCut and more observed
The US IT security authority CISA is currently warning of attacks on Cisco SD-WAN, Zimbra, TeamCity, PaperCut, and other software.
(Image: Skorzewiak/Shutterstock.com)
The US IT security authority CISA warns of currently observed attacks on Cisco SD-WAN, Zimbra, TeamCity, PaperCut, and other software. The vulnerabilities range from 2023 to February 2026, with updates available for patching. Admins should check at this point at the latest whether they are using vulnerable software and update it if necessary.
The CISA lists a total of eight attacked vulnerabilities. The three most recent affect Cisco's Catalyst SD-WAN Manager. The descriptions state, for example, that the software does not correctly use higher-privileged APIs (CVE-2026-20122, CVSS 5.4, Risk "medium"), allowing attackers to upload malicious files and escalate their privileges. Cisco's SD-WAN also stores passwords in a recoverable way (CVE-2026-20128, CVSS 7.5, Risk "high"), allowing attackers from the network to gain access with Data Collection Agent (DCA) rights. Furthermore, one of the vulnerabilities allows attackers to exfiltrate sensitive information via an API due to insufficient access protection (CVE-2026-20133, CVSS 7.5, Risk "high").
A total of six products attacked
Attackers are also targeting a cross-site scripting vulnerability in the collaboration software Zimbra Collaboration Suite (ZCS) (CVE-2025-48700, CVSS 6.1, Risk "medium"). Malicious actors are exploiting a vulnerability with the highest possible risk in Quest KACE System Management Appliances (SMA), allowing them to gain administrative access and completely take over the systems (CVE-2025-32975, CVSS 10.0, Risk "critical"). Also targeted: a path traversal vulnerability in Kentico Xperience (CVE-2025-2749, CVSS 7.2, Risk "high"), and criminals are also attacking a vulnerability in JetBrains TeamCity (CVE-2024-27199, CVSS 7.3, Risk "high"). The oldest vulnerability is found in PaperCut NG/MF and allows authentication bypass (CVE-2023-27351, CVSS 8.2, Risk "high").
Videos by heise
However, any details about the attacks are missing. CISA only reports which vulnerabilities have been observed to be attacked, but not how and to what extent they are being exploited. Therefore, important information such as Indicators of Compromise (IOC) is also missing for administrators. IT managers are therefore currently left with only checking whether the software they use is up-to-date and not vulnerable.
Most recently, CISA warned over the weekend that attackers are targeting Apache ActiveMQ and ActiveMQ Broker.
(dmk)
