CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This update, announced on January 23, 2026, underscores the persistent threat landscape facing enterprise software and development tools, with attackers actively leveraging these weaknesses in real-world attacks.

The four vulnerabilities added to the catalog are:

1. CVE-2025-68645 (CVSS 8.8) - A remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS). This flaw allows a remote attacker to craft requests to the /h/rest endpoint to include arbitrary files from the WebRoot directory without authentication. According to CrowdSec, exploitation efforts targeting this vulnerability have been ongoing since January 14, 2026. The issue was fixed in November 2025 with ZCS version 10.1.13.

2. CVE-2025-34026 (CVSS 9.2) - An authentication bypass in the Versa Concerto SD-WAN orchestration platform. This vulnerability could allow an attacker to access administrative endpoints, potentially giving them control over network infrastructure. The fix was released in April 2025 with version 12.2.1 GA.

3. CVE-2025-31125 (CVSS 5.3) - An improper access control vulnerability in Vite (Vite.js), a popular build tool. This flaw could allow contents of arbitrary files to be returned to the browser using query parameters like ?inline&import or ?raw?import. The vulnerability was patched in March 2025 across multiple versions: 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

4. CVE-2025-54313 (CVSS 7.5) - An embedded malicious code vulnerability in eslint-config-prettier, part of a broader supply chain attack. This vulnerability could allow for the execution of a malicious DLL dubbed "Scavenger Loader," designed to deliver an information stealer. This attack targeted multiple npm packages, including eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is, and came to light in July 2025.

The Supply Chain Attack Behind CVE-2025-54313

The supply chain attack targeting eslint-config-prettier and related packages represents a sophisticated campaign that exploited the trust inherent in open-source ecosystems. Threat actors conducted a phishing campaign targeting package maintainers, using bogus links that harvested their credentials under the pretext of verifying email addresses as part of regular account maintenance. Once credentials were compromised, attackers published trojanized versions of these packages.

This type of attack highlights a critical vulnerability in the software supply chain: the human element. Package maintainers, often volunteers managing multiple projects, can be targeted through social engineering. The attack's success demonstrates how attackers can leverage small, trusted dependencies to compromise downstream applications.

The malicious DLL, "Scavenger Loader," is specifically designed to deliver an information stealer. This suggests the attackers were targeting developers and organizations using these packages, potentially seeking to steal sensitive credentials, API keys, or other valuable data from development environments.

Practical Implications and Mitigation Strategies

For organizations using any of the affected software, immediate action is required. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must apply necessary fixes by February 12, 2026. However, the directive's principles apply broadly to all organizations:

For Zimbra Users (CVE-2025-68645)

• Upgrade to ZCS version 10.1.13 or later immediately
• Review server logs for suspicious requests to the /h/rest endpoint
• Implement network segmentation to limit exposure of Zimbra servers
• Consider deploying a web application firewall (WAF) with rules to detect file inclusion attempts

For Versa Concerto Users (CVE-2025-34026)

• Upgrade to version 12.2.1 GA or later
• Audit administrative access logs for unusual activity
• Implement multi-factor authentication (MFA) for all administrative accounts
• Review network access controls for SD-WAN orchestration platforms

For Vite Users (CVE-2025-31125)

• Update to patched versions: 6.2.4, 6.1.3, 6.0.13, 5.4.16, or 4.5.11
• Review build configurations to ensure proper file access controls
• Consider implementing additional security headers in development environments
• Audit projects for any custom Vite plugins that might expose file access

For npm Package Users (CVE-2025-54313)

• Immediately audit and update all affected packages
• Review package-lock.json or yarn.lock files for compromised versions
• Consider implementing automated dependency scanning tools
• Review development environments for signs of compromise
• Implement code signing verification for critical dependencies

Broader Lessons for Software Security

This KEV catalog update illustrates several critical trends in modern cybersecurity:

1. Supply Chain Vulnerabilities Are Increasing: The attack on npm packages demonstrates how attackers are shifting focus from direct application attacks to compromising the tools and dependencies developers trust.

2. Development Tools Are High-Value Targets: Vulnerabilities in build tools like Vite or development dependencies like ESLint configurations can affect thousands of applications simultaneously.

3. Active Exploitation Drives Prioritization: CISA's KEV catalog focuses on vulnerabilities with confirmed exploitation, helping organizations prioritize patching efforts effectively.

4. Timely Patching Remains Critical: While the vulnerabilities vary in severity, all have patches available. Organizations that delay updates remain exposed to known threats.

Moving Forward: Building Resilient Development Practices

Organizations should consider these practices to mitigate similar risks:

• Implement Dependency Scanning: Use tools like Snyk, Dependabot, or npm audit to continuously monitor for vulnerable dependencies
• Establish Patch Management Processes: Create clear procedures for testing and deploying security updates, especially for development tools
• Conduct Regular Security Audits: Review both production and development environments for signs of compromise
• Educate Developers: Train development teams on secure coding practices and supply chain risks
• Implement Zero-Trust Principles: Apply the principle of least privilege across development and production environments

The addition of these four vulnerabilities to CISA's KEV catalog serves as a reminder that security is an ongoing process. While patches are available, organizations must actively monitor, test, and deploy updates to protect against active threats. The supply chain attack targeting npm packages particularly highlights the need for comprehensive security practices that extend beyond traditional perimeter defenses to include the tools and dependencies that modern software development relies upon.

For organizations seeking to stay informed about emerging threats, CISA's KEV catalog provides a valuable resource for prioritizing vulnerability management efforts. Regular review of this catalog, combined with robust patch management processes, forms a critical component of any comprehensive cybersecurity strategy.