Executive Summary

On January 22, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are being actively exploited by malicious actors. The vulnerabilities impact a wide array of technologies: Synacor Zimbra Collaboration Suite (ZCS), the Vite frontend development tool, the Versa Concerto SD-WAN platform, and the popular 'eslint-config-prettier' NPM package. The inclusion in the KEV catalog triggers a binding operational directive requiring U.S. federal agencies to remediate the flaws by February 12, 2026. Given the confirmed in-the-wild exploitation, private sector organizations are strongly advised to follow suit and patch these vulnerabilities immediately to prevent system compromise, data disclosure, and further network intrusion.

Vulnerability Details

The four vulnerabilities added to the KEV catalog represent distinct threats to different parts of the IT environment:

• CVE-2025-68645: A Local File Inclusion (LFI) vulnerability in the webmail UI of Zimbra Collaboration Suite. This flaw allows an unauthenticated attacker to include and view arbitrary files from the WebRoot directory, potentially exposing sensitive configuration data, internal paths, and other information useful for reconnaissance. Security firm CrowdSec has reported a recent surge in exploitation.

• CVE-2025-31125: An improper access control vulnerability in the Vite frontend development framework. It allows unauthorized access to the content of files that should be restricted, affecting applications that expose the Vite development server directly to the network.

• CVE-2025-34026: An authentication bypass vulnerability in the Versa Networks Concerto SD-WAN orchestration platform. Successful exploitation could grant an attacker unauthorized access to the platform, potentially allowing them to manipulate network configurations and traffic.

• CVE-2025-54313: A malicious code execution vulnerability within the eslint-config-prettier NPM package. Malicious versions of this package contain an install.js script that executes a malware payload (node-gyp.dll) on Windows systems during the package installation process, representing a software supply chain threat.

Affected Systems

• CVE-2025-68645: Synacor Zimbra Collaboration Suite (ZCS) versions before 10.1.13 and 10.0.18.
• CVE-2025-31125: Applications using the Vite frontend development framework that expose the development server to the network.
• CVE-2025-34026: Versa Concerto SD-WAN orchestration platform (specific versions should be confirmed with the vendor).
• CVE-2025-54313: Projects using malicious versions of the eslint-config-prettier NPM package.

Exploitation Status

All four vulnerabilities are confirmed by CISA to be under active exploitation in the wild. The directive for federal agencies to patch by February 12, 2026, underscores the urgency. The exploitation of the Zimbra flaw has been described as part of sophisticated campaigns, while the eslint-config-prettier vulnerability is a classic supply chain attack targeting developers.

Impact Assessment

Exploitation of these vulnerabilities can lead to severe consequences:

• Zimbra (CVE-2025-68645): Can lead to sensitive information disclosure, providing attackers with credentials, configuration details, and a foothold for lateral movement within a network.
• Vite (CVE-2025-31125): Exposure of sensitive source code or configuration files, potentially revealing secrets, API keys, or business logic.
• Versa Concerto (CVE-2025-34026): Full compromise of the SD-WAN fabric, enabling traffic interception, redirection, and denial of service attacks against the corporate network.
• eslint-config-prettier (CVE-2025-54313): Compromise of developer workstations and CI/CD pipelines, leading to code tampering, credential theft, and broader supply chain attacks.

Cyber Observables for Detection

Security teams should hunt for signs of compromise related to these vulnerabilities:

Detection & Response

Defenders should implement the following detection strategies:

1. Network Traffic Analysis (D3-NTA): Monitor web server logs for unusual URL patterns targeting Zimbra servers, especially those containing file path traversal sequences like ../. For Versa Concerto, monitor for unauthorized access attempts to the management interface from unknown IP addresses.
2. File Integrity Monitoring: On developer machines and build servers, monitor for the creation of install.js in the eslint-config-prettier package directory. Use file hashing (D3-FH) to compare package lock files against known-good versions.
3. Endpoint Detection and Response (EDR): Deploy EDR rules to detect the execution of node-gyp.dll or any DLL being launched by node.exe or npm.exe processes, particularly in the context of package installation.
4. Vulnerability Scanning: Actively scan for vulnerable versions of Zimbra, Vite, and Versa Concerto in your environment. Prioritize internet-facing systems.

Remediation Steps

Immediate action is required to mitigate these threats:

1. Patch Immediately: Apply the security updates provided by Zimbra, Vite, Versa Networks, and update the eslint-config-prettier package to a safe version. This aligns with MITRE mitigation M1051 - Update Software.
2. Restrict Access: If patching is not immediately possible, restrict access to vulnerable management interfaces. For Zimbra and Versa Concerto, ensure they are not exposed to the public internet unless absolutely necessary and are protected by a firewall and MFA. This aligns with M1035 - Limit Access to Resource Over Network.
3. Audit Dependencies: For the NPM vulnerability, audit all project dependencies to ensure no malicious versions of eslint-config-prettier are in use. Implement dependency scanning tools in the CI/CD pipeline.
4. Review Logs: Audit historical web server and application logs for indicators of compromise related to these vulnerabilities to determine if systems were already breached. This aligns with M1047 - Audit.