Navigation section

CISA KEV Adds Four Actively Exploited CVEs: Vite Versa Zimbra ESLint Prettier

  • Thread Author
CISA’s latest update to the Known Exploited Vulnerabilities (KEV) Catalog adds four actively exploited CVEs — a mix of application logic flaws, an insecure development-tooling exposure, a supply‑chain compromise, and a PHP file‑inclusion bug — underscoring the breadth of attack surfaces adversaries are using today and the continuing need for rapid, prioritized remediation under Binding Operational Directive (BOD) 22‑01. The four entries named are CVE‑2025‑31125 (Vite), CVE‑2025‑34026 (Versa Collaborationncerto), CVE‑2025‑54313 (eslint‑config‑prettier / Prettier supply‑chain compromise), and CVE‑2025‑68645 (Synacor Zimbra Collaboration Suite). The addition elevates each item into an operational “must‑fix” for federal civilian agencies and places a strong practical priority on remediation for all organizations that want to reduce exposure to active attacks.

A cybersecurity poster featuring a KEV 22-01 shield urging urgent fixes across development tools.Background / Overview​

Why KEV and BOD 22‑01 matter now​

CISA’s KEV Catalog is not a general vulnerability list — it’s a curated, operational list of CVEs for which there is reliable evidence of exploitation in the wild. Under BOD 22‑01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV entries on compressed timelines (the directive sets default remediation windows and reporting requirements). The directive’s intent is simple: focus scarce patching resources on the vulnerabilities attackers are actively using rather than on the far larger backlog of theoretical weaknesses. The BOD 22‑01 fact sheet and KEV guidance remain the authoritative framework for how and why these CVEs are elevated. Practical reality for enterprise defenders: a KEV listing signals that an exploit or proof‑of‑concept is present in the wild and that threat actors are likely to attempt opportunistic or targeted use. For many organizations, KEV additions therefore become immediate operational priorities regardless of whether they are federal entities. Community and vendor responses to KEV posts show widespread adoption of this prioritization model.

What this update tells us about attacker tactics​

The four CVEs added in this update illustrate three recurring adversary patterns:
  • Exploiting management and orchestration components to gain high value access (Versa Concerto).
  • Using developer tooling and package ecosystems as a supply‑chain vector (eslint‑config‑prettier).
  • Targeting web application and UI flaws to exfiltrate or include internal files (Vite dev server and Zimbra LFI).
These are precisely the attack surfaces defenders should have hardened: administrative/actuator endpoints, dev‑time servers exposed to production networks, and package installation lifecycles that run scripts on install.

The four vulnerabilities (what they are, why they matter, and immediate remediation)​

CVE‑2025‑31125 — Vite (Improper access control / information exposure in dev server)​

  • Summary: A Vite dev‑server flaw (query parameter handling for ?inline&import and ?raw?import) can expose non‑allowed files when the development server is intentionally bound to a network interface (e.g., using --host or server.host). This exposes internal files to remote requests if the dev server is reachable. Fixed versions are published.
  • Affected: Vite dev‑server configurations where the server is exposed to external networks; fixed in Vite versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
  • Risk: Attackers scanning the internet for misconfigured dev servers can retrieve source files, environment variables, and other secrets — an immediate lateralization enabler in modern web app pipelines.
  • Recommended action:
  • If you run Vite dev servers in any environment reachable from untrusted networks, immediately restrict network exposure (bind to localhost only or firewall off development ports).
  • Upgrade to the fixed versions listed above as soon as feasible.
  • Review any exposed artifacts (source files, .env, build artifacts) for secret leakage; rotate any credentials found in exposed files.
  • Detection / mitigations: Block dev‑server traffic at the perimeter, monitor for inbound scanning and suspicious GET requests containing the ?raw or ?inline query strings, and add automated checks to CI that prevent accidental publishing of dev servers to the public internet.

CVE‑2025‑34026 — Versa Concerto (Improper authentication / actuator exposure)​

  • Summary: Versa Concerto, an orchestration platform for SD‑WAN/SASE, has an authentication bypass stemming from a Traefik reverse‑proxy and Spring Boot Actuator misconfiguration that allows access to administrative endpoints (heap dumps, trace logs, etc.. This class of flaw grants high replay value to attackers because internal administrative data can reveal credentials, session tokens, and configuration. Evidence includes public PoCs and red‑team exploitation writeups.
  • Affected: Concerto versions 12.1.2 through 12.2.0 (and possibly other versions). CVSS v4.0 assessments put this in the critical range (high confidentiality impact).
  • Risk: Because Concerto centralizes orchestration for network functions, a compromise can pivot quickly into managed networks and tenants — a classic prelude to broad infrastructure compromise or ransomware deployment.
  • Recommended action:
  • Apply vendor patches or the vendor’s recommended mitigations immediately where a patch is available. If no patch exists, treat vulnerable systems as high‑risk and follow containment steps below.
  • Interim mitigations include firewalling management interfaces, limiting access to internal administrative networks, dropping the problematic Connection / X‑Real‑IP headers at the proxy, and blocking malformed URL constructs (e.g., semicolons and encoded slashes) used in public exploit chains. ProjectDiscovery and community detection templates (Nuclei) are available for scanning.
  • Hunt for indicators of compromise (unexpected heap dumps, trace logs exfiltration, or evidence of uploaded artifacts); assume compromise if administrative endpoints were reachable.

CVE‑2025‑54313 — eslint‑config‑prettier (Embedded malicious code / supply‑chain compromise)​

  • Summary: Several nested npm packages maintained by the same author were hijacked after the maintainer received a phishing email that harvested an npm token. Malicious versions of eslint‑config‑prettier and related packages included a post‑install script that executed a Windows DLL (node‑gyp.dll) via rundll32, enabling payload execution on systems that installed the package. The compromise was large in reach because eslint‑config‑prettier is widely used in JavaScript projects.
  • Affected: Specific versions were published as malicious (e.g., eslint‑config‑prettier 8.10.1, 9.1.1, 10.1.6, 10.1.7). Patched/published clean versions (8.10.2+, 9.1.2+, 10.1.8+) were released after the incident.
  • Risk: Supply‑chain attacks can silently compromise developer machines, CI runners, and build artifacts. Windows hosts are primarily at risk here (the malicious install script targeted win32).
  • Recommended action:
  • Audit dependency manifests and lockfiles (package‑lock.json / yarn.lock). If your environment pulled affected versions, treat those endpoints as potentially infected if the install ran on Windows.
  • Upgrade to the patched package versions immediately and revoke any CI or automation tokens that were exposed to upstream accounts.
  • Add rules to block or flag post‑install lifecycle scripts in high‑security CI runners and use binary allow‑listing on developer workstations. Consider adding reproducible build safeguards that do not execute post‑install hooks in build pipelines.
  • Detection: Search build logs and installed node_modules for executable post‑install scripts, and hunt for unexpected rundll32 invocations or the presence of node‑gyp.dll payloads on Windows hosts. Public advisories and the GitHub Advisory entry document the affected versions and remediation.

CVE‑2025‑68645 — Synacor Zimbra Collaboration Suite (PHP Remote File Inclusion / LFI)​

  • Summary: A Local File Inclusion (LFI) vulnerability in Zimbra Collaboration’s Webmail Classic UI RestFilter servlet allows unauthenticated attackers to craft requests to the /h/rest endpoint and include arbitrary files from the WebRoot directory. Successful exploitation can expose credentials, configuration, or other sensitive files. Public proof‑of‑concepts appeared and detection signatures were published.
  • Affected: ZCS versions 10.0 and 10.1 (specific sub‑versions documented in vendor advisories and CVE records).
  • Risk: LFI often leads to information disclosure and can be chained into remote code execution when applications expose files that allow the attacker to inject code into dynamic include paths; tenant and mail data exposure are particular risks for collaboration suites.
  • Recommended action:
  • Install vendor patches for Zimbra Collaboration as published. If immediate patching is impossible, restrict access to Zimbra management and webmail endpoints using network controls and WAF rules.
  • Monitor for unusual access patterns to /h/rest and hunt for file inclusion indicators; review web server logs for requests attempting traversal or encoded payloads.
  • Rotate any credentials or keys discovered in included files, and consider a forensic analysis if exploit evidence exists.

Cross‑checking the public record and verification notes​

  • CISA’s public KEV update page for this action (the URL supplied in the original advisory) was referenced for this story; however, the automated fetch of that specific CISA alert returned an access error during verification attempts via our web crawler. The KEV/BOD policy context and the general KEV listing process are confirmed via CISA’s BOD 22‑01 guidance and related CISA bulletins. Readers should consult CISA’s KEV page directly for the official alert text and any vendor remediation deadlines. ([]
  • Each CVE description and remediation guidance above has been corroborated against independent vulnerability databases, vendor advisories, and multiple security vendor writeups: NVD entries and OSV summaries for the Vite and Prettier issues; ProjectDiscovery and multiple industry writeups for Versa; and NVD / Rapid7 / CVE tracking mirrors for Zimbra. These independent sources converge on the technical descriptions and affected version lists cited above. Where vendor patches are published, upgrade numbers are included in the authoritative advisories.
  • Caveat: timeliness matters. CVE records and vendor advisories may be updated rapidly as fixes and mitigations are published; always verify the current fixed version and any recommended mitigation from the vendor’s official security advisory before scheduling changes.

Critical analysis — strengths, blind spots, and systemic risks​

Strengths of the KEV/BOD approach​

  • Operational focus: BOD 22‑01 forces an evidence‑based prioritization that reduces the noise of mass CVE lists and targets timelines at vulnerabilities that are demonstrably exploited. This reduces the window of exposure for high‑impact live attacks.
  • Policy muscle: For federal agencies the directive is binding — that legal/operational pressure results in accelerated patching and measurable risk reduction across the federal enterprise.
  • Ecosystem signal: KEV listings serve as a de‑facto early‑warning for the private sector and drive vendor prioritization and community scanning efforts. Community detection templates and vendor patches typically follow KEV listings quickly.

Blind spots and risks​

  • Coverage and timing: KEV depends on reliable evidence of exploitation before listing. That means some exploited flaws may remain unlisted while evidence is collected; defenders cannot treat KEV as exhaustive.
  • Supply‑chain complexity: The eslint‑config‑prettier incident shows how quickly a single developer account compromise can cascade into thousands of downstream projects. KEV focuses on exploited CVEs, but supply‑chain incidents often require broader ecosystem hygiene beyond patching a specific CVE (e.g., token hygiene, CI hardening).
  • Operational burden: BOD‑driven timelines can be challenging for organizations with complex legacy fleets. Agencies must remove or isolate assets that cannot be patched — a high operational cost. KEV’s default timelines (two weeks for post‑2021 CVEs, six months for older CVEs) are aggressive by design and may force rapid but sometimes disruptive changes.
  • False assurance: Organizations that treat KEV as the only input risk being blindsided by actively exploited vulnerabilities not yet added to the catalog. KEV is necessary but not sufficient for comprehensive vulnerability management.

Tactical checklist for WindowsForum readers and IT teams (practical, prioritized steps)​

  • Inventory: Build or refresh an application‑level inventory that includes orchestration platforms, collaboration suites (Zimbra), developer tooling (Vite), and package dependencies used in build pipelines. Use software SBOMs where possible.
  • Cross‑reference: Map your inventory to the KEV list and to the CVEs named above. For package ecosystems, scan lockfiles and CI artifacts for the affected package versions.
  • Patch/Uplift (immediate):
  • Vite: Upgrade dev servers to the fixed Vite versions or restrict access to localhost.
  • Versa Concerto: Apply vendor patches or the ProjectDiscovery/Versa mitigations; block exposed management traffic.
  • eslint‑config‑prettier: Replace affected package versions with patched releases; check CI logs for Windows runners that executed post‑install scripts.
  • Zimbra: Apply vendor updates and harden webmail endpoints.
  • Isolation: If patching isn’t immediately possible, isolate affected assets from untrusted networks; use network segmentation and WAF rules to block the exploit vectors.
  • Detection and response:
  • Deploy Nuclei/asset discovery templates and SIEM rules for KEV indicators (Actuator access attempts, ?raw/?inline queries, suspicious post‑install scripts, /h/rest probes).
  • Hunt for signs of successful exploitation: unusual heap dumps, unexpected files in upload paths, rundll32 invocations on Windows hosts, and unknown processes tied to build agents.
  • Supply‑chain hardening:
  • Enforce token rotation and MFA for package registry accounts and CI tokens.
  • Disable or audit package post‑install steps in high‑security pipelines.
  • Consider reproducible builds and detached artifact signing where feasible.
  • Reporting and compliance: Federal agencies must report remediation status through CDM dashboards per BOD 22‑01 timelines; private organizations should track KEV compliance internally and align patch windows with their incident response plans.

What to watch next (threat‑monitoring priorities)​

  • Attackers will often weaponize public PoCs quickly after disclosure; watch for exploit chatter in telemetry and honeypots focused on: Traefik/Spring Boot Actuator endpoints, Vite dev server ports, package installation events on Windows hosts, and probes to /h/rest endpoints.
  • Supply‑chain incidents commonly spawn follow‑on phishing and credential abuse; monitor for anomalous registry publishes, token‑use patterns, and CI account anomalies.
  • Vendor response timelines: track vendor advisories closely for backported fixes, hotfixes, or extended mitigations; some vendors may release temporary configuration workarounds ahead of full patches.

Conclusion​

CISA’s KEV addition that elevates CVE‑2025‑31125 (Vite), CVE‑2025‑34026 (Versa Concerto), CVE‑2025‑54313 (eslint‑config‑prettier supply‑chain compromise), and CVE‑2025‑68645 (Zimbra LFI) is a sober reminder that modern intrusion campaigns blend infrastructure misconfigurations, management‑plane exposure, and software‑supply chain abuse. The KEV mechanism and BOD 22‑01 create an enforceable operational priority for federal agencies and a de‑facto signal for private sector defenders to follow.
For defenders the practical takeaway is unchanged but urgent: inventory your estate, cross‑check against KEV, upgrade or isolate affected assets, harden build pipelines, and hunt for indicators of compromise. The combination of orchestration‑plane flaws and supply‑chain attacks in this update highlights the value of a holistic vulnerability management program that spans endpoints, cloud orchestration, developer tooling, and CI/CD pipelines. Action now reduces risk tomorrow.
(Technical summaries and remediation details in this piece draw on the KEV/BOD framework, NVD/CVE records, vendor advisories, and independent security research; details for each CVE were corroborated across multiple public vulnerability databases and community advisories. Readers should validate fixed version numbers and vendor mitigation instructions against the latest advisories before applying changes.
Source: CISA CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CISA KEV Update: Patch Four Exploited CVEs Now Under BOD 22-01
Replies
0
Views
124
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds 3 Actively Exploited KEV CVEs: Linux Kernel TOCTOU, Android ART, Sitecore RCE
Replies
0
Views
494
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA KEV Jan 2026: Five Exploited CVEs Signal Urgent Patch Playbook
Replies
0
Views
145
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA Adds Five Exploited CVEs to KEV Catalog: Urgent Patch Guidance
Replies
0
Views
125
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA KEV Adds CVE-2025-27915 Zimbra Classic Web Client XSS Patch Now
Replies
0
Views
128
ChatGPT
ChatGPT
Back
Top