CISA's KEV Catalog Expands: PaperCut Auth Bypass and Cisco SD-WAN Flaws Under Active Exploitation

Original reporting credit: The Hacker News. CypherByte analysis and threat intelligence layer added by our senior research team.

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog with eight newly confirmed active-exploitation entries, issuing federal remediation deadlines spanning April and May 2026. The additions signal that threat actors — ranging from opportunistic ransomware affiliates to state-aligned intrusion sets — are actively weaponizing these vulnerabilities in the wild, not merely proving theoretical proof-of-concept exploitability. At the center of this disclosure is CVE-2023-27351, a high-severity improper authentication vulnerability in PaperCut print management software, alongside three distinct flaws targeting Cisco Catalyst SD-WAN Manager infrastructure. Organizations running these platforms should treat this disclosure as an active incident precursor, not a routine patch advisory.

Security teams in enterprise, government, education, and critical infrastructure sectors carry the most immediate exposure. PaperCut's deployment footprint spans universities, hospitals, legal firms, and government agencies — environments that historically lag on patch cadence and often deprioritize print infrastructure as an attack surface. Similarly, Cisco Catalyst SD-WAN Manager underpins wide-area networking for thousands of distributed enterprises. The combination of high-value targets, delayed patching culture, and confirmed active exploitation makes this KEV update one of the more operationally consequential in recent months. Federal agencies face mandatory remediation under Binding Operational Directive (BOD) 22-01, but the urgency extends well beyond the federal perimeter.

Technical Analysis

CVE-2023-27351 resides in PaperCut NG/MF's application server component and stems from a failure to properly enforce authentication controls on specific API endpoints or administrative functions. Improper authentication vulnerabilities of this class typically allow a remote, unauthenticated attacker to interact with privileged functionality — in PaperCut's case, this can include accessing user data, manipulating print job queues, or, critically, achieving remote code execution when chained with secondary vulnerabilities or abused scripting features within the platform itself. PaperCut has historically been a high-value target; in 2023, exploitation of related PaperCut vulnerabilities (CVE-2023-27350) was attributed to ransomware groups including Cl0p and LockBit affiliates, as well as the Iranian-nexus threat actor Mango Sandstorm (MuddyWater). The now-KEV-confirmed CVE-2023-27351 sits in adjacent territory and compounds the platform's already elevated threat profile.

From a mechanistic standpoint, improper authentication vulnerabilities in web-based print management systems are particularly dangerous because these systems routinely operate with elevated OS-level privileges to manage printers, spool jobs, and interact with Active Directory or LDAP directories. An attacker achieving unauthorized access to PaperCut's admin interface gains not just application-level control but a potential pivot point into directory services, credential stores, and lateral movement paths across the organization. Attack chains observed in prior PaperCut exploitation campaigns involved: unauthenticated access to the admin console → enabling a malicious scripting engine or external device script → OS-level command execution → deployment of a remote access tool or ransomware payload. There is no technical reason to assume CVE-2023-27351 is being exploited in a materially different pattern.

Regarding the Cisco Catalyst SD-WAN Manager vulnerabilities also added to this KEV batch: SD-WAN management planes are architecturally sensitive targets. Compromising the management controller can yield an attacker visibility into network topology, routing policies, VPN configurations, and potentially the ability to reroute or intercept traffic at scale. While specific technical details of all three Cisco entries require further individual analysis, CISA's confirmation of active exploitation means weaponized code is operationally deployed — organizations should assume scanning and exploitation attempts are already underway against internet-facing SD-WAN management interfaces.

Impact Assessment

The affected systems span two distinct but equally critical domains. PaperCut NG and MF installations are pervasive in education (K-12 and higher education), healthcare networks, legal and financial services, and government agencies — sectors with sensitive data obligations and often constrained IT security resources. A successful exploitation of CVE-2023-27351 in these environments could result in data exfiltration of user records and print job content, credential harvesting via LDAP integration abuse, ransomware deployment, and regulatory breach notification obligations under frameworks such as HIPAA, FERPA, or GDPR. The real-world consequence is not theoretical: PaperCut exploitation in 2023 resulted in confirmed ransomware incidents at multiple universities and healthcare providers globally.

For Cisco Catalyst SD-WAN Manager, the blast radius is network-wide. SD-WAN controllers sit at the heart of distributed enterprise connectivity — retail chains, logistics companies, financial institutions with branch networks, and government agencies running hybrid WAN architectures are all potentially affected. Compromise of the management plane can enable persistent network access that survives endpoint-level remediation efforts, creating long dwell times that are difficult to detect through conventional endpoint telemetry. Organizations with internet-exposed SD-WAN management interfaces that have not implemented strict access controls are at the highest immediate risk.

CypherByte's Perspective

This KEV update reinforces a pattern we at CypherByte have been tracking with increasing concern: enterprise infrastructure that was never designed with a hostile internet in mind is now routinely exposed to it. Print management systems, WAN orchestrators, and similar operational tools were historically air-gapped or assumed to live safely behind perimeter defenses. That assumption is functionally dead. Hybrid work models, cloud-connected print infrastructure, and the gradual dissolution of the network perimeter mean that PaperCut admin consoles and SD-WAN management interfaces frequently have some degree of internet reachability — intentional or otherwise.

There is also a broader intelligence signal in how CISA is timing these KEV additions. The gap between CVE-2023-27351's original disclosure in 2023 and its 2026 KEV confirmation suggests either that exploitation was not widely observed until recently, that attribution required extended analysis, or that the vulnerability was being exploited quietly — possibly by more disciplined threat actors who avoided the noisy ransomware deployments that draw immediate attention. Quiet exploitation is often more damaging than loud exploitation, and defenders should audit for historic compromise indicators, not just apply the patch and consider the matter closed.

Indicators and Detection

Security teams should prioritize the following detection and hunting activities in response to this KEV update:

For PaperCut (CVE-2023-27351): Review web application firewall and proxy logs for unauthenticated requests to PaperCut admin endpoints — particularly /app?service=page/SetupCompleted, /api/health, and similar paths that have been abused in prior PaperCut exploitation campaigns. Look for anomalous process spawning from the PaperCut application server process (e.g., pc-app.exe or equivalent on Linux) including shells, scripting engines, or network tools. Monitor for unexpected LDAP query volumes or new scheduled tasks and services created in the wake of PaperCut process activity. Correlate any admin console access against known-good administrator IP ranges — flag any access from unexpected geographies or IP reputation categories.

For Cisco Catalyst SD-WAN Manager: Audit authentication logs on the vManage controller for failed authentication bursts followed by successful logins — a hallmark of credential stuffing or authentication bypass attempts. Review configuration change logs for unauthorized policy modifications, new user account creation, or VPN tunnel reconfiguration. Ensure management plane access is restricted to dedicated out-of-band management networks and not reachable from the public internet. Check for unexpected outbound connections from the SD-WAN manager to external IP addresses.

Recommendations

1. Patch Immediately — Do Not Wait for Scheduled Maintenance Windows. CISA's KEV listing is an unambiguous signal of active exploitation. Apply available PaperCut patches addressing CVE-2023-27351 and all associated Cisco Catalyst SD-WAN Manager updates as emergency changes. Federal agencies are legally bound to the April–May 2026 deadlines; private sector organizations should treat those same timelines as absolute maximums, not targets.

2. Restrict Administrative Interface Exposure. If PaperCut admin consoles or Cisco SD-WAN management interfaces are reachable from the public internet or untrusted network segments, isolate them immediately. Implement allowlist-based IP restrictions, VPN-only access requirements, and multi-factor authentication on all administrative pathways before patch deployment is complete.

3. Conduct Compromise Assessment. Given the extended window between original CVE disclosure and KEV confirmation, security teams should conduct a focused compromise assessment — not merely verify patch status. This includes reviewing authentication logs, examining process execution history on PaperCut servers, auditing administrative account creation, and checking for persistence mechanisms including scheduled tasks, cron jobs, and new service installations.

4. Implement Runtime Behavioral Monitoring. Deploy or validate endpoint detection and response (EDR) coverage on PaperCut application servers and any systems running Cisco SD-WAN management software. Configure alerts for process injection, unexpected child process creation, and outbound network connections to uncategorized or low-reputation destinations from these systems.

5. Review and Rotate Credentials. Given PaperCut's LDAP/Active Directory integration, treat any unpatched or potentially compromised PaperCut installation as a potential credential harvesting vector. Audit privileged accounts, rotate service account passwords, and review for any anomalous authentication events in directory services during the exploitation window.

This analysis was produced by CypherByte's senior research team. Source intelligence derived from CISA's KEV catalog update as reported by The Hacker News. For questions about this research or to discuss enterprise applicability, contact the CypherByte research team through our secure disclosure channel.