The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added 4 safety flaws to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation within the wild.
The record of vulnerabilities is as follows –
- CVE-2025-68645 (CVSS rating: 8.8) – A PHP distant file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that would enable a distant attacker to craft requests to the “/h/relaxation” endpoint and permit inclusion of arbitrary recordsdata from the WebRoot listing with none authentication (Fastened in November 2025 with model 10.1.13)
- CVE-2025-34026 (CVSS rating: 9.2) – An authentication bypass within the Versa Concerto SD-WAN orchestration platform that would enable an attacker to entry administrative endpoints (Fastened in April 2025 with model 12.2.1 GA)
- CVE-2025-31125 (CVSS rating: 5.3) – An improper entry management vulnerability in Vite Vitejs that would enable contents of arbitrary recordsdata to be returned to the browser utilizing ?inline&import or ?uncooked?import (Fastened in March 2025 with variations 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11)
- CVE-2025-54313 (CVSS rating: 7.5) – An embedded malicious code vulnerability in eslint-config-prettier that would enable for execution of a malicious DLL dubbed Scavenger Loader that is designed to ship an info stealer
It is price noting that CVE-2025-54313 refers to a provide chain assault concentrating on eslint-config-prettier and 6 different npm packages, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is, that got here to gentle in July 2025.
The phishing marketing campaign focused the package deal maintainers with bogus hyperlinks that harvested their credentials underneath the pretext of verifying their electronic mail tackle as a part of common account upkeep, permitting the menace actors to publish trojanized variations.
In response to CrowdSec, exploitation efforts concentrating on CVE-2025-68645 have been ongoing since January 14, 2026. There are presently no particulars on how the opposite vulnerabilities are being exploited within the wild.
Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Government Department (FCEB) companies are required to use the required fixes by February 12, 2026, to safe their networks towards energetic threats.
