The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added four new security flaws to its catalog of Known Exploited Vulnerabilities (KEV). This designation signifies that the agency has observed active exploitation of these weaknesses in real-world cyberattacks. The inclusion of these vulnerabilities in the KEV catalog mandates that federal civilian executive branch agencies must implement necessary patches by a specified deadline to safeguard their systems.
The latest additions to CISA’s KEV catalog include a high-severity remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS), an authentication bypass in the Versa Concerto SD-WAN orchestration platform, an improper access control flaw in Vite Vitejs, and a concerning embedded malicious code vulnerability within the eslint-config-prettier npm package. The identification and public disclosure of these exploitable vulnerabilities underscore the continually evolving threat landscape faced by organizations globally.
CISA Adds Four Exploited Vulnerabilities to KEV Catalog
In its ongoing efforts to bolster national cybersecurity, CISA has mandated federal agencies to address four newly identified actively exploited vulnerabilities by February 12, 2026. This directive, issued under Binding Operational Directive (BOD) 22-01, requires remediation to protect networks from immediate threats. The vulnerabilities encompass a range of software and platforms, highlighting the diverse attack vectors that threat actors are leveraging.
The inclusion of CVE-2025-68645, a PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS), is particularly noteworthy. This flaw, with a CVSS score of 8.8, could permit an unauthenticated remote attacker to include arbitrary files from the WebRoot directory by crafting specific requests to the “/h/rest” endpoint. While a fix was released in November 2025 with version 10.1.13, ongoing exploitation efforts have been observed since January 14, 2026, according to CrowdSec. This persistence of exploitation raises concerns for organizations that have not yet applied the patch.
Another significant addition is CVE-2025-34026, a critical authentication bypass vulnerability in the Versa Concerto SD-WAN orchestration platform. Assigned a CVSS score of 9.2, this weakness could grant an attacker unauthorized access to administrative endpoints. The vulnerability was addressed in April 2025 with the release of version 12.2.1 GA. The high severity and potential for administrative takeover make this a priority for organizations utilizing this platform.
Furthermore, CVE-2025-31125, an improper access control vulnerability in Vite Vitejs, has been added to the KEV catalog. With a CVSS score of 5.3, this vulnerability could allow for the disclosure of arbitrary file contents to a browser through specific query parameters, namely “?inline&import” or “?raw?import”. Patches for this issue were made available in March 2025 across several versions, including 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Supply Chain Attack: CVE-2025-54313 in eslint-config-prettier
The fourth vulnerability, CVE-2025-54313, presents a more intricate scenario due to its nature as an embedded malicious code flaw within the eslint-config-prettier npm package. This vulnerability, rated at a CVSS score of 7.5, could facilitate the execution of a malicious DLL known as Scavenger Loader, which is designed to pilfer information. This specific vulnerability is part of a broader supply chain attack that came to light in July 2025.
The supply chain attack targeted multiple npm packages beyond eslint-config-prettier, including eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is. Threat actors reportedly employed phishing tactics, sending malicious links to package maintainers under the guise of email address verification for account maintenance. Successful credential harvesting allowed them to publish trojanized versions of these legitimate packages, injecting malicious code into the software development ecosystem.
While exploitation details for CVE-2025-68645 have been publicly documented, information regarding the active exploitation of CVE-2025-34026, CVE-2025-31125, and CVE-2025-54313 in the wild remains limited. The lack of detailed exploitation data for these specific flaws does not diminish their potential impact, especially considering their inclusion on CISA’s KEV list.
The upcoming deadline of February 12, 2026, for FCEB agencies to address these vulnerabilities is crucial. Organizations utilizing any of the affected software are strongly advised to verify their patch status and implement the necessary security updates promptly. Monitoring for further information regarding the exploitation of these vulnerabilities will be essential for ongoing risk management and threat mitigation efforts.