Cyber Threat Brief — April 21 2026
⚠️ This report is AI-generated. Always validate findings.
1. Quest KACE SMA SSO Authentication Bypass — CVE-2025-32975
TL;DR: CVSS 10.0 SSO authentication bypass in Quest KACE SMA lets unauthenticated attackers impersonate any user including administrators. CISA KEV added April 20; ITW exploitation confirmed since March 9, 2026 with Mimikatz and remote command execution post-exploitation.
What’s New:
- CISA KEV addition April 20, federal deadline May 4
- ITW exploitation observed since week of March 9, 2026 on internet-exposed SMA instances
- Post-exploitation:
KPluginRunProcessfunctionality abused for remote command execution, additional admin account creation, Mimikatz credential harvesting, registry persistence - Affects KACE SMA 13.0.x < 13.0.385, 13.1.x < 13.1.81, 13.2.x < 13.2.183, 14.0.x < 14.0.341 (Patch 5), 14.1.x < 14.1.101 (Patch 4)
- Patched since May 2025 — unpatched instances remain actively targeted
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| SSO authentication requests without valid credentials | Auth bypass | T1078.001 | KACE SMA admin audit logs, web server access logs | Hunt — anomalous SSO auth events for admin accounts |
| KPluginRunProcess remote execution | Remote exec | T1059 | KACE SMA application logs | Hunt — unexpected KPluginRunProcess invocations |
| New admin account creation on KACE SMA | Persistence | T1136.001 | KACE SMA admin audit logs | Alert — any new admin accounts created outside change windows |
| Mimikatz execution on managed endpoints | Credential theft | T1003.001 | Windows Security EID 4688, Sysmon EID 1 | Hunt — mimikatz.exe or known renamed variants |
| Registry modifications for persistence | Persistence | T1547.001 | Windows Security EID 4657, Sysmon EID 13 | Hunt — registry run key modifications post-KACE compromise |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Windows OS Credential Dumping with Procdump or Mimikatz | No KACE SMA-specific auth bypass rule |
| Elastic | Mimikatz Memssp Log File Detected | No KACE SMA SSO abuse detection |
| Sigma | win_proc_creation_mimikatz.yml | Need: KACE SMA SSO authentication anomaly rule based on admin audit logs |
Sources: CISA KEV April 20 · SecurityWeek · HackerNews · SOCRadar
2. Kentico Xperience Auth RCE via Path Traversal — CVE-2025-2749
TL;DR: Authenticated RCE in Kentico Xperience CMS via Staging Sync Server path traversal allows webshell upload to web-accessible directories. CISA KEV added April 20; chains with CVE-2025-2746/2747 for pre-auth RCE.
What’s New:
- CISA KEV addition April 20, federal deadline May 4
- Exploited ITW — confirmed active exploitation per CISA based on evidence
- Path traversal via
../sequences in Staging Sync Serverpathparameter → arbitrary ASPX webshell upload - Vulnerable endpoint:
/CMSPages/Staging/SyncServer.asmx - Chains with CVE-2025-2746 (XSS) and CVE-2025-2747 for pre-authentication RCE
- Affects Kentico Xperience through 13.0.178; requires Staging Service enabled with username/password auth
- watchTowr Labs published detailed analysis including XSS-to-RCE chain (CVE-2025-2748)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST to /CMSPages/Staging/SyncServer.asmx | Exploit endpoint | T1190 | IIS access logs | Hunt — POST requests to SyncServer.asmx from external IPs |
Path traversal ../ in Staging sync requests | Path traversal | T1083 | IIS access logs, WAF logs | Block — WAF rule for path traversal sequences in Staging API |
ASPX files in /Modules/ or unexpected web dirs | Webshell | T1505.003 | File integrity monitoring, Sysmon EID 11 | Alert — new .aspx files outside normal deployment paths |
| w3wp.exe spawning cmd.exe/powershell.exe | Post-exploit | T1059.001 | Windows Security EID 4688, Sysmon EID 1 | Hunt — IIS worker process spawning shells |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | W3WP Spawning Shell | No Kentico Staging Sync-specific URI detection |
| Elastic | Webshell Detection: Script Process Child of Common Web Processes | Need: IIS log rule for SyncServer.asmx path traversal patterns |
| Sigma | webshell_detection_file_creation.yml | Need: Kentico-specific webshell path monitoring under CMS directories |
Sources: CISA KEV April 20 · watchTowr Labs · HackerNews · CVE Details
3. Cisco Catalyst SD-WAN Manager — Three Companion CVEs Added to CISA KEV
TL;DR: CISA added CVE-2026-20122 (file overwrite), CVE-2026-20128 (password recovery), and CVE-2026-20133 (info disclosure) to KEV on April 20, expanding the exploited attack surface around the previously covered CVE-2026-20127 auth bypass. Chain enables full SD-WAN management plane takeover.
What’s New:
- CISA KEV addition April 20 for all three; federal deadline April 23 (3-day fuse)
- CVE-2026-20122 (CVSS 7.1): Privileged API abuse → arbitrary file overwrite → vManage user privileges; requires read-only API credentials
- CVE-2026-20128 (CVSS 5.5): Passwords stored in recoverable format → local attacker escalates to Data Collection Agent (DCA) privileges
- CVE-2026-20133 (CVSS 6.5): Sensitive information exposure → remote viewing of confidential network configuration data
- Exploitation chain: CVE-2026-20133 (recon) → CVE-2026-20122 (file overwrite + privesc) → CVE-2026-20128 (credential recovery) → full SD-WAN management takeover
- Active exploitation confirmed by Cisco; supplements CVE-2026-20127 (CVSS 10.0 auth bypass covered April 5)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Unauthorized API calls to vManage REST API | API abuse | T1106 | vManage audit logs, /var/log/nms/vmanage-server.log | Hunt — API calls from unexpected sources or read-only accounts performing writes |
| Arbitrary file overwrites on vManage filesystem | File manipulation | T1565.001 | vManage syslog, file integrity monitoring | Alert — unexpected file modifications in system directories |
| DCA credential file access | Credential access | T1552.001 | vManage audit logs | Hunt — access to DCA credential stores by non-DCA processes |
| Sensitive config data exfiltration | Data collection | T1602.002 | vManage audit logs, netflow | Hunt — bulk config exports or unusual API data retrieval patterns |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need: vManage API abuse detection, file overwrite alerting, credential store access monitoring |
| Elastic | None | Need: Cisco SD-WAN Manager audit log parsing and anomaly detection |
| Sigma | None | Critical gap — no community rules for Cisco SD-WAN Manager attack chain |
Sources: CISA KEV April 20 · HackerNews · Cisco Advisory · HelpNetSecurity
Status Updates
- CVE-2026-20127 (Cisco SD-WAN): Three companion CVEs (20122/20128/20133) added to CISA KEV April 20 with April 23 deadline; full attack chain now documented. Original brief April 5.
- BlueHammer/RedSun/UnDefend (Microsoft Defender): New IOCs captured April 20 including SERIOUSLYMSFT Cloud Files provider, RedSun.exe/UnDefend.exe/FunnyApp.exe process names, CfRegisterSyncRoot API abuse. All three confirmed ITW by Huntress. Original brief April 7.
- CVE-2026-34621 (Adobe Acrobat Reader): ITW exploitation ongoing; CISA KEV deadline May 4; no new IOCs. Original brief April 13.
- CVE-2026-35616 (FortiClient EMS): Federal deadline passed April 9; exploitation ongoing since March 31; 7.4.7 full fix still pending. Original brief April 6.