The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog by adding four software security flaws that are confirmed to be actively exploited in real world attacks.
CISA stated that these additions are based on verified evidence of exploitation, highlighting an increased risk to both public and private sector organizations if the vulnerabilities remain unpatched.
Details of the Added Vulnerabilities
The newly added vulnerabilities span email platforms, SD-WAN infrastructure, development tools, and the open source software supply chain.
One of the listed flaws, CVE-2025-68645 with a CVSS score of 8.8, affects the Synacor Zimbra Collaboration Suite. The issue is a PHP remote file inclusion vulnerability that allows unauthenticated attackers to send crafted requests to the /h/rest endpoint and include arbitrary files from the WebRoot directory. This flaw was addressed in November 2025 with the release of version 10.1.13.
Another high severity issue, CVE-2025-34026 with a CVSS score of 9.2, impacts the Versa Concerto SD-WAN orchestration platform. The vulnerability allows authentication bypass, enabling attackers to access administrative endpoints. Versa fixed the issue in April 2025 with version 12.2.1 GA.
CISA also included CVE-2025-31125, an improper access control vulnerability in Vite Vitejs, rated with a CVSS score of 5.3. This flaw allows attackers to retrieve arbitrary file contents through specially crafted parameters such as ?inline&import or ?raw?import. The issue was resolved in March 2025 across multiple maintained versions.
The fourth vulnerability, CVE-2025-54313, carries a CVSS score of 7.5 and involves embedded malicious code within the npm package eslint-config-prettier. Successful exploitation can lead to execution of a malicious DLL known as Scavenger Loader, which is designed to deploy an information stealer.
Supply Chain Attack Context
CVE-2025-54313 is linked to a broader supply chain attack disclosed in July 2025. In addition to eslint-config-prettier, six other npm packages were compromised, including eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is.
Investigations revealed that the attackers targeted package maintainers through phishing emails containing fraudulent verification links. These links harvested maintainer credentials under the guise of routine account validation, allowing the attackers to publish trojanized package updates.
Active Exploitation and Required Actions
Security firm CrowdSec reported that exploitation attempts targeting CVE-2025-68645 have been observed since January 14, 2026. At this time, technical details regarding the exploitation of the remaining vulnerabilities have not been publicly disclosed.
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by February 12, 2026. CISA emphasized that timely patching is critical to protecting government networks from ongoing active threats.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
