CISA Flags Active Exploitation of Four Enterprise Software Vulnerabilities
#Regulation

CISA Flags Active Exploitation of Four Enterprise Software Vulnerabilities

Security Reporter
5 min read

The Cybersecurity and Infrastructure Security Agency (CISA) has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The affected products include Versa Concerto SD-WAN, Zimbra Collaboration Suite, the Vite frontend tooling framework, and a compromised npm package for the Prettier code formatter. Federal agencies have until February 12, 2026, to patch or mitigate these issues.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert, adding four enterprise software vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This designation is a clear signal that the agency possesses evidence that threat actors are actively leveraging these flaws in real-world attacks. The affected products span a range of enterprise tools, from network orchestration platforms and collaboration suites to popular developer tooling, highlighting the broad attack surface faced by modern organizations.

Featured image

The Four Actively Exploited Flaws

The vulnerabilities now on CISA's KEV list are:

  1. CVE-2025-31125 (Vite): A high-severity improper access control issue in the Vite frontend tooling framework. This flaw, disclosed in March 2025, can be exploited to expose non-allowed files when a development server is explicitly exposed to the network. It's important to note that this vulnerability only affects development instances that are directly accessible from the internet, not production builds. Patches are available in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. Developers and organizations using Vite in exposed development environments should prioritize updating immediately.

  2. CVE-2025-34026 (Versa Concerto): A critical-severity authentication bypass in the Versa Concerto SD-WAN orchestration platform. This vulnerability stems from a misconfiguration in the Traefik reverse proxy, which allows attackers to access administrative endpoints, including the internal Actuator endpoint. This exposure can leak sensitive information such as heap dumps and trace logs. The flaw affects Concerto versions 12.1.2 through 12.2.0. Researchers from cybersecurity firm ProjectDiscovery reported the issue to Versa on February 13, 2025, and the company confirmed a fix was deployed on March 7, 2025.

  3. CVE-2025-54313 (eslint-config-prettier): A high-severity supply-chain compromise affecting the popular eslint-config-prettier npm package. In July 2025, attackers hijacked several JavaScript libraries, including this one, and published malicious versions to the npm registry. Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) would execute a malicious install.js script. This script launches a node-gyp.dll payload on Windows systems designed to steal npm authentication tokens, potentially giving attackers access to private packages and other sensitive developer resources.

  4. CVE-2025-68645 (Zimbra Collaboration Suite): A local file inclusion vulnerability in the Webmail Classic UI of Zimbra versions 10.0 and 10.1. The bug is caused by improper handling of user-supplied parameters in the RestFilter servlet. An unauthenticated attacker can exploit the /h/rest endpoint to include arbitrary files from the WebRoot directory, potentially leading to information disclosure or further compromise.

Why This Matters: The Broader Attack Surface

This batch of KEV additions underscores a critical trend in modern cybersecurity: attacks are not limited to traditional network appliances or operating systems. They increasingly target the tools and platforms that form the backbone of software development and enterprise collaboration.

The inclusion of a compromised npm package is particularly significant. Supply-chain attacks like this one demonstrate how adversaries can infiltrate the development pipeline itself, compromising the tools developers trust. A single malicious package can spread across countless projects, making it a potent vector for widespread credential theft and further exploitation.

Similarly, vulnerabilities in developer tools like Vite and enterprise collaboration platforms like Zimbra show that any internet-facing service, even those used internally or for development, can become a foothold for attackers. The Versa Concerto flaw highlights the risks associated with misconfigured reverse proxies, a common architectural component in modern microservices and cloud deployments.

Practical Advice for Organizations

CISA's directive (BOD 22-01) requires all federal agencies to apply available security updates or vendor-suggested mitigations by February 12, 2026, or cease using the affected products. While this mandate is for federal entities, the guidance is universally applicable for any organization using these technologies.

Immediate Actions:

  • Inventory and Assess: Determine if your organization uses Vite (especially in exposed development environments), Versa Concerto, Zimbra, or any of the affected npm packages (eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, 10.1.7).
  • Patch Immediately: Apply the latest security patches. For Vite, update to a patched version (6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11). For Versa Concerto and Zimbra, consult vendor advisories for specific patched versions. For the npm package, update to a non-affected version (e.g., 10.1.8 or later).
  • Audit Dependencies: For the eslint-config-prettier supply-chain issue, run a full audit of your project dependencies using npm audit or similar tools. Check for any of the compromised versions in your package-lock.json or yarn.lock files and update them. Consider using package-lock files and pinning dependency versions to prevent unexpected updates.
  • Review Network Exposure: For Vite and other development tools, ensure that development servers are not directly exposed to the internet. Use VPNs, private networks, or secure tunnels for remote development access.
  • Harden Reverse Proxies: For systems using reverse proxies like Traefik, review configurations to ensure administrative endpoints and internal services (like Actuator endpoints) are not inadvertently exposed to untrusted networks.

Vendor Responses and Resources

  • Vite: The official Vite documentation and GitHub repository provide release notes and guidance on updating. Ensure your development workflow includes regular updates for all tooling.
  • Versa: Versa Networks confirmed the fix for CVE-2025-34026 was deployed in March 2025. Customers should verify their Concerto version and apply updates through the official vendor portal.
  • Prettier/ESLint: The eslint-config-prettier package on npm should be updated to the latest secure version. The GitHub repository may contain additional security advisories.
  • Zimbra: Zimbra Collaboration Suite users should consult the Zimbra Security Center for patch information and mitigation steps for CVE-2025-68645.

Conclusion

CISA's latest KEV catalog update serves as a stark reminder that vulnerability management must be comprehensive, extending beyond core infrastructure to include development tools, third-party libraries, and enterprise applications. The active exploitation of these flaws means the window for remediation is already closing. Organizations must act swiftly to identify affected systems, apply patches, and review their security posture to mitigate the risks posed by these specific vulnerabilities and the broader attack patterns they represent.

Comments

Loading comments...
Back to Home