The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of them being exploited in the wild.
Here is the list of vulnerabilities:
CVE-2025-68645 (CVSS score: 8.8) – PHP remote file include vulnerability in Synacor Zimbra Collaboration Suite (ZCS) could allow remote attackers to craft requests to the “/h/rest” endpoint and include arbitrary files from the WebRoot directory without authentication, in version 10.1.13 2025-11 (fixed in April 2025) CVE-2025-34026 (CVSS Score: 9.2) – Authentication bypass in VersaConcerto SD-WAN Orchestration Platform could allow an attacker to access management endpoints (fixed in April 2025 in version 12.2.1 GA) CVE-2025-31125 (CVSS Score: 5.3) – Vite Vitejs Improper Access Control Vulnerability. Allow content of arbitrary files to be returned to the browser using ?inline&import or ?raw?import (fixed in March 2025 in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11) CVE-2025-54313 (CVSS Score: 7.5) – A malicious code vulnerability embedded in eslint-config-prettier could allow the execution of a malicious DLL called Scavenger Loader that is designed to steal information
It is worth noting that CVE-2025-54313 refers to a supply chain attack that was revealed in July 2025 that targets eslint-config-prettier and six other npm packages: eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is.
This phishing campaign targets package maintainers with fake links that harvest credentials under the pretext of verifying email addresses as part of routine account maintenance, allowing threat actors to publish trojanized versions.
According to CrowdSec, exploit activity targeting CVE-2025-68645 has been ongoing since January 14, 2026. At this time, there are no details on how other vulnerabilities are being exploited in the wild.
Pursuant to Binding Operating Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must apply necessary fixes by February 12, 2026 to protect their networks from active threats.
Source link
