The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has quietly but insistently expanded its Known Exploited Vulnerabilities (KEV) catalog this week, flagging a string of enterprise and developer-tool flaws that authorities say are being abused in the wild.

The additions include high-impact defects in Zimbra Collaboration, Versa's Concerto SD‑WAN orchestration, the Vite dev tool, the eslint-config-prettier npm package (part of a wider supply‑chain compromise), and — in a related update window — a critical VMware vCenter flaw. CISA’s notice is short on attribution and on fine-grained exploit details, but the practical message is blunt: these are being used by attackers and need attention now.

What CISA added and why it matters

Headlines are easiest to read as a checklist, so here are the vulnerabilities CISA flagged and the immediate implications for teams who run these products:

  • CVE-2025-68645 (Zimbra Collaboration — CVSS 8.8): A local file inclusion issue in the Webmail Classic UI that lets unauthenticated requests to the /h/rest endpoint pull arbitrary files from the WebRoot. Zimbra owners should note fixes shipped in November 2025 (10.1.13). CrowdSec reported exploitation activity targeting this flaw beginning January 14, 2026.
  • CVE-2025-34026 (Versa Concerto — CVSS 9.2): An authentication‑bypass / improper-authentication problem in the Traefik reverse proxy used by the orchestration platform, potentially exposing admin endpoints (including internal Actuator endpoints that can leak heap dumps and traces). Patches arrived in April 2025 (12.2.1 GA).
  • CVE-2025-31125 (Vite — CVSS ~5.3): An improper access‑control bug that can return the contents of arbitrary files when the Vite dev server is exposed to a network. Fixed in multiple releases (6.2.4, 6.1.3, 6.0.13, 5.4.16, 4.5.11). The real risk here often comes from accidentally exposing development servers to the internet.
  • CVE-2025-54313 (eslint-config-prettier / npm supply‑chain — CVSS ~7.5): This one roots in a supply‑chain attack uncovered in July 2025. Maintainers were phished with fake verification links, their credentials harvested, and trojanized package versions published that execute an install.js on Windows to drop a DLL tracked as the Scavenger Loader — a loader built to deliver information stealers.
  • CVE-2024-37079 (VMware vCenter — high severity): A vCenter out‑of‑bounds/heap‑overflow in DCERPC that can be triggered over the network and may lead to remote code execution. Given vCenter’s central role, any active exploitation risk draws broad attention from enterprise defenders.

    • CISA’s KEV entries deliberately avoid naming threat groups or providing exploit chains; instead, the agency emphasizes that these are observed to be exploited and therefore present meaningful risk to the federal enterprise and others. Under Binding Operational Directive 22‑01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by February 12, 2026 — a hard reminder that these aren’t theoretical issues.

    This wave continues a pattern of attackers leaning on both classic enterprise targets and developer tooling/supply chains. If you follow KEV activity, it echoes prior catalog additions where CISA listed Gladinet and Control Web Panel flaws for active exploitation, a reminder that the list keeps growing and can include both infrastructure and developer-facing problems CISA Adds Gladinet and Control Web Panel flaws to KEV.

    Practical steps for defenders — fast, focused, and specific

    Patching is the core answer, but a checklist helps operationalize it quickly:

  • Patch to the vendor‑provided fixes immediately. For Zimbra, confirm you’re on 10.1.13 or later; Versa Concerto users should be on 12.2.1 GA or newer; Vite users should apply the fixed versions (6.2.4 and the other listed builds); and replace any trojanized eslint‑config‑prettier installs with vetted releases.
  • Treat developer tools and local dev servers as attack surface. Don’t expose Vite dev servers or similar tooling to public networks — restrict access via VPN, firewall, or SSH tunnels.
  • Audit npm installations and lockfiles after the Prettier compromise. Reinstall dependencies from clean sources, inspect package-lock.json / yarn.lock for unexpected entries, and consider using verified registries or package allowlists. If your organization’s maintainers received unusual email requests last year, rotate credentials and enable stronger multi‑factor controls.
  • Limit vCenter exposure: network segmentation, firewalling, and applying vendor mitigations can reduce blast radius even before a full patch roll‑out.
  • Hunt for indicators of compromise tied to Scavenger Loader and similar loaders. Monitor outbound connections, credential access patterns, unexpected DLL loads on Windows hosts, and anomalous package publishing activity.
  • Integrate KEV signals into prioritization and scanning workflows. External catalogs like KEV often surface exploited CVEs that vendor products miss; combining multiple intelligence feeds shortens the time to detection and remediation (see our earlier look at how adding KEV coverage improves vulnerability awareness and response by a large margin, and how other developer-tool flaws have been tracked in similar writeups) Critical React Native CLI Flaw (CVE-2025-11953) Lets Remote Attackers Run OS Commands.

A few configuration-level checks can buy time: tighten reverse‑proxy access controls, disable unnecessary admin interfaces from public networks, and ensure logging for Actuator‑style endpoints (heap dumps, traces) is off or heavily restricted.

Why this isn't just another patch cycle

Two trends make this alert stickier than the usual maintenance note. First, attackers are increasingly combining supply‑chain and credential‑harvesting tricks to insert malicious code into widely used developer packages — that lets them reach many build pipelines and CI systems with one effective phishing campaign. Second, common enterprise management consoles (vCenter, SD‑WAN controllers) remain high-value targets: a single compromised appliance can yield access to dozens or hundreds of downstream systems.

KEV’s role is pragmatic: it doesn’t analyze root causes or name actors; it marks the vulnerabilities that defenders should prioritize because exploitation is real. For security teams juggling thousands of CVEs, that curated signal matters.

This moment is an operational test: can teams patch and harden faster than attackers can move? If your infrastructure touches any of the products named above, schedule the work now, and treat the supply chain as a first-class risk vector rather than a footnote. The window to act is short and the consequences for delay can be immediate.

CISAVulnerabilitiesSupply ChainZimbraVMware

Related Articles