Organizations Warned of Exploited Cisco, Kentico, Zimbra Vulnerabilities

The weakness exists because the Staging Sync Server of Kentico Xperience versions 13.0.178 and prior would upload arbitrary files to path-relative locations. Authentication is required for successful exploitation.In March last year, WatchTowrexplainedthat hackers could chain three flaws in Kentico, including an authenticated RCE issue, to compromise deployments. Two of the weaknesses, tracked as CVE-2025-2746 and CVE-2025-2747, wereadded to CISA’s KEV catalogin October.The ZCS vulnerability that CISA added to KEV this week is CVE-2025-48700, an XSS bug in the Zimbra Classic UI that can be exploited to execute JavaScript code within the user’s session.Rooted in the insufficient sanitization of HTML content, the flaw can be triggered when the user opens a crafted message in the Classic UI.The other three flaws added to CISA’s KEV on Monday include CVE-2025-32975, a critical Quest KACE issueflagged as potentially exploitedlast month; CVE-2024-27199, a JetBrains TeamCity weaknessexploited for over two years; and CVE-2023-27351, a PaperCut defectexploited since April 2023.CISA urges federal agencies to patch the Cisco and Zimbra vulnerabilities by April 23, and the other four issues by May 4.Related:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Recent Apache ActiveMQ Vulnerability Exploited in the WildRelated:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

In March last year, WatchTowrexplainedthat hackers could chain three flaws in Kentico, including an authenticated RCE issue, to compromise deployments. Two of the weaknesses, tracked as CVE-2025-2746 and CVE-2025-2747, wereadded to CISA’s KEV catalogin October.The ZCS vulnerability that CISA added to KEV this week is CVE-2025-48700, an XSS bug in the Zimbra Classic UI that can be exploited to execute JavaScript code within the user’s session.Rooted in the insufficient sanitization of HTML content, the flaw can be triggered when the user opens a crafted message in the Classic UI.The other three flaws added to CISA’s KEV on Monday include CVE-2025-32975, a critical Quest KACE issueflagged as potentially exploitedlast month; CVE-2024-27199, a JetBrains TeamCity weaknessexploited for over two years; and CVE-2023-27351, a PaperCut defectexploited since April 2023.CISA urges federal agencies to patch the Cisco and Zimbra vulnerabilities by April 23, and the other four issues by May 4.Related:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Recent Apache ActiveMQ Vulnerability Exploited in the WildRelated:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

The ZCS vulnerability that CISA added to KEV this week is CVE-2025-48700, an XSS bug in the Zimbra Classic UI that can be exploited to execute JavaScript code within the user’s session.Rooted in the insufficient sanitization of HTML content, the flaw can be triggered when the user opens a crafted message in the Classic UI.The other three flaws added to CISA’s KEV on Monday include CVE-2025-32975, a critical Quest KACE issueflagged as potentially exploitedlast month; CVE-2024-27199, a JetBrains TeamCity weaknessexploited for over two years; and CVE-2023-27351, a PaperCut defectexploited since April 2023.CISA urges federal agencies to patch the Cisco and Zimbra vulnerabilities by April 23, and the other four issues by May 4.Related:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Recent Apache ActiveMQ Vulnerability Exploited in the WildRelated:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

Rooted in the insufficient sanitization of HTML content, the flaw can be triggered when the user opens a crafted message in the Classic UI.The other three flaws added to CISA’s KEV on Monday include CVE-2025-32975, a critical Quest KACE issueflagged as potentially exploitedlast month; CVE-2024-27199, a JetBrains TeamCity weaknessexploited for over two years; and CVE-2023-27351, a PaperCut defectexploited since April 2023.CISA urges federal agencies to patch the Cisco and Zimbra vulnerabilities by April 23, and the other four issues by May 4.Related:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Recent Apache ActiveMQ Vulnerability Exploited in the WildRelated:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

The other three flaws added to CISA’s KEV on Monday include CVE-2025-32975, a critical Quest KACE issueflagged as potentially exploitedlast month; CVE-2024-27199, a JetBrains TeamCity weaknessexploited for over two years; and CVE-2023-27351, a PaperCut defectexploited since April 2023.CISA urges federal agencies to patch the Cisco and Zimbra vulnerabilities by April 23, and the other four issues by May 4.Related:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Recent Apache ActiveMQ Vulnerability Exploited in the WildRelated:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

CISA urges federal agencies to patch the Cisco and Zimbra vulnerabilities by April 23, and the other four issues by May 4.Related:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Recent Apache ActiveMQ Vulnerability Exploited in the WildRelated:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

Related:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Recent Apache ActiveMQ Vulnerability Exploited in the WildRelated:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

Related:Recent Apache ActiveMQ Vulnerability Exploited in the WildRelated:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

Related:Cursor AI Vulnerability Exposed Developer DevicesRelated:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

Related:NIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical Software

Source: SecurityWeek