What you need to know today.

CISA adds two Cisco SD-WAN CVEs to KEV as exploitation continues. CVE-2026-20182 (CVSS 10.0, EPSS 0.78) and CVE-2026-20127 (CVSS 10.0, EPSS 0.48) were both elevated to the Known Exploited Vulnerabilities catalog today. CVE-2026-20182 is a control-connection flaw in Cisco Catalyst SD-WAN Controller, Manager, and Validator that grants unauthenticated remote code execution; CVE-2026-20127 is a peering-authentication bypass in the same product family. As The Register reported, this marks the seventh SD-WAN zero-day exploited in 2026. BleepingComputer noted that CVE-2026-20182 has been under active attack by a persistent threat group, with CyberScoop confirming no patch was available at disclosure. CISA has ordered federal agencies to patch by Sunday. Organizations running any Cisco Catalyst SD-WAN appliance should treat both CVEs as emergency-priority items.

CISA also flags a Joomla JCE editor plugin flaw under active exploitation. CVE-2026-48907 (CVSS 10.0, EPSS 0.01) was added to KEV today, despite the low EPSS score. The vulnerability in the JCE editor extension for Joomla allows unauthenticated attackers to create new editor profiles, ultimately leading to PHP code upload and remote code execution. As BleepingComputer reported, CISA has ordered federal agencies to patch by Friday. SecurityWeek confirmed the flaw is being actively exploited in attacks alongside a separate LiteSpeed vulnerability. The Hacker News noted that while the EPSS percentile is low, the KEV listing signals confirmed in-the-wild abuse. Site administrators should immediately update the JCE editor plugin or disable it until a patch is applied.

A wave of legacy CVSS 9.8 vulnerabilities resurfaces with high EPSS scores. Several decades-old flaws are seeing renewed scanning activity, likely from automated exploit frameworks. CVE-2004-0847 (EPSS 0.76) is the Microsoft .NET forms authentication bypass for ASP.NET — the infamous "backslash" bug that lets attackers access restricted .aspx directories. CVE-2003-0466 (EPSS 0.78) is the off-by-one error in wu-ftpd's fb_realpath() function, a classic remote code execution vector. CVE-2003-0545 (EPSS 0.85) is the OpenSSL 0.9.7 double-free vulnerability in SSL client certificate handling. CVE-2002-0391 (EPSS 0.58) is the SunRPC xdr_array integer overflow affecting libc and glibc-based systems. While these are not new disclosures, their elevated EPSS scores suggest active reconnaissance or weaponization. Teams should verify that no legacy systems running unpatched versions of wu-ftpd, OpenSSL 0.9.7, or ASP.NET 1.x remain exposed.

Additional high-severity legacy CVEs show elevated EPSS activity. CVE-2003-0899 (EPSS 0.22) is a buffer overflow in thttpd 2.21–2.23b1's defang function in libhttpd.c, triggered by '<' or '>' characters in requests. CVE-2002-1484 (EPSS 0.14) allows the DB4Web server to be used as an open proxy for TCP port scanning when verbose debug messages are enabled. CVE-2002-0083 (EPSS 0.15) is an off-by-one error in OpenSSH 2.0–3.0.2's channel code that can be exploited by malicious servers against connecting clients. CVE-2001-0609 (EPSS 0.18) is a format-string vulnerability in Infodrom cfingerd 1.4.3 via malformed ident replies passed to syslog. CVE-2000-0944 (EPSS 0.11) allows unauthenticated password changes in CGI Script Center News Update 1.1. CVE-1999-0006 (EPSS 0.12) is the classic qpopper buffer overflow via a long PASS command. These are all well-known vulnerabilities with public exploit code; their reappearance in EPSS data suggests ongoing scanning campaigns targeting Internet-facing legacy services.

Several PHP remote file inclusion and open-proxy flaws remain in circulation. CVE-2004-0285 (EPSS 0.08) affects AllMyVisitors, AllMyLinks, and AllMyGuests, allowing arbitrary PHP code execution via the _AMVconfig[cfg_serverpath] parameter. CVE-2004-2061 (EPSS 0.06) turns RiSearch 1.0.01 and Pro 3.2.06's show.pl script into an open proxy or local file reader. CVE-2004-0030 (EPSS 0.07) is a PHP remote file inclusion in PHPGEDVIEW 2.61 via the PGV_BASE_DIRECTORY parameter. CVE-2002-1816 (EPSS 0.09) is an off-by-one buffer overflow in ATPhttpd 0.4b via a long HTTP GET request. CVE-2001-0766 (EPSS 0.08) allows Apache on MacOS X 10.0.3 with HFS+ to bypass access restrictions via case-mangled URLs. While these EPSS scores are lower, they represent classes of vulnerabilities (RFI, open proxy) that are frequently incorporated into botnet and spam infrastructure. Any remaining installations of these aging PHP applications should be decommissioned or isolated.

Two kernel-level legacy flaws round out the day's signal. CVE-1999-0426 (EPSS 0.11) involves default permissions of /dev/kmem in Linux kernels before 2.0.36, enabling IP spoofing — a relic of early Linux security models. CVE-2000-0944 (EPSS 0.11) is the CGI Script Center News Update password-change bypass noted above. Neither represents a current threat to modern patched systems, but their inclusion in today's bundle underscores how exploit-database scanning continues to probe for ancient misconfigurations. Teams running any Linux 2.0.x-era systems or unmaintained CGI applications should treat these as indicators of active reconnaissance.