The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added four security flaws to its Known Exploitable Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of weaknesses is as follows –
- CVE-2025-68645 (CVSS Score: 8.8) – A PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow a remote attacker to craft a request to the “/h/rest” endpoint and include arbitrary files from the webroot directory without any authentication (fixed with version 10.1.13 in November 2025)
- CVE-2025-34026 (CVSS Score: 9.2) – An authentication bypass in the Versa Concerto SD-WAN Orchestration Platform that could allow an attacker to access administrative endpoints (fixed with version 12.2.1 GA in April 2025)
- CVE-2025-31125 (CVSS score: 5.3) – An improper access control vulnerability in WhiteWage that could allow the contents of arbitrary files to be returned to the browser using ?inline&import or ?raw?import (fixed in March 2025 with versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11)
- CVE-2025-54313 (CVSS Score: 7.5) – An embedded malicious code vulnerability in eslint-config-prettier that could allow the execution of a malicious DLL called a scavenger loader that is designed to distribute information to
It is worth noting that CVE-2025-54313 refers to a supply chain attack that targets eslint-config-prettier and six other NPM packages, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and it came to light in July 2025.
The phishing campaign targeted package maintainers with fake links that captured their credentials under the pretext of verifying their email addresses as part of routine account maintenance, allowing threat actors to publish Trojan versions.
According to CrowdSec, exploit attempts targeting CVE-2025-68645 have been ongoing since January 14, 2026. There are currently no details on how other vulnerabilities are being exploited in the wild.
According to Binding Operational Directive (BOD) 22-01, federal civilian executive branch (FCEB) agencies are required to implement necessary fixes by February 12, 2026, to secure their networks against active threats.
