CISA Identifies and Addresses Four Actively Exploited Software Vulnerabilities
On January 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog by adding four critical security flaws, each confirmed to be under active exploitation. This proactive measure underscores the agency’s commitment to fortifying national cybersecurity defenses.
Detailed Overview of the Vulnerabilities:
1. CVE-2025-68645 (CVSS Score: 8.8): This vulnerability pertains to a PHP remote file inclusion flaw within the Synacor Zimbra Collaboration Suite (ZCS). Attackers can exploit this by sending crafted requests to the /h/rest endpoint, enabling the inclusion of arbitrary files from the WebRoot directory without requiring authentication. Synacor addressed this issue in November 2025 with the release of version 10.1.13.
2. CVE-2025-34026 (CVSS Score: 9.2): An authentication bypass vulnerability was identified in the Versa Concerto SD-WAN orchestration platform. This flaw allows unauthorized access to administrative endpoints. Versa Networks rectified this vulnerability in April 2025 by releasing version 12.2.1 GA.
3. CVE-2025-31125 (CVSS Score: 5.3): This issue involves improper access control in Vite Vitejs, which could permit the retrieval of arbitrary file contents via browser requests using specific query parameters. The vulnerability was mitigated in March 2025 with updates across multiple versions, including 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
4. CVE-2025-54313 (CVSS Score: 7.5): This vulnerability involves embedded malicious code within the eslint-config-prettier package. Exploitation can lead to the execution of a malicious DLL known as Scavenger Loader, designed to deploy an information-stealing payload.
Contextual Insights:
The inclusion of CVE-2025-54313 highlights a sophisticated supply chain attack targeting eslint-config-prettier and six other npm packages, including eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is. In July 2025, attackers initiated a phishing campaign aimed at package maintainers. By sending deceptive links under the guise of email verification requests, they harvested credentials, enabling them to publish compromised versions of these packages.
CrowdSec reported that exploitation attempts targeting CVE-2025-68645 have been active since January 14, 2026. However, specific details regarding the exploitation methods for the other vulnerabilities remain undisclosed.
Mandated Actions:
In accordance with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the necessary patches by February 12, 2026. This directive aims to bolster network defenses against these actively exploited threats.
Implications for the Broader Cybersecurity Landscape:
The rapid identification and cataloging of these vulnerabilities by CISA underscore the dynamic nature of cyber threats and the critical importance of timely vulnerability management. Organizations, both within and beyond the federal sphere, are urged to:
– Stay Informed: Regularly monitor updates from authoritative bodies like CISA to remain aware of emerging threats.
– Implement Patches Promptly: Ensure that all systems are updated with the latest security patches to mitigate potential exploitation risks.
– Enhance Monitoring: Deploy advanced monitoring tools to detect and respond to unusual activities that may indicate exploitation attempts.
– Educate Personnel: Conduct regular training sessions to raise awareness about phishing tactics and other common attack vectors.
Conclusion:
CISA’s proactive measures in updating the KEV catalog serve as a crucial reminder of the ever-evolving cyber threat landscape. By staying vigilant and adhering to recommended security practices, organizations can significantly reduce their vulnerability to such exploits.
