CISA Warns of Active Attacks on 4 Critical Software Flaws
▼ Summary
– CISA has added four actively exploited vulnerabilities to its KEV catalog, impacting software from Versa, Zimbra, Vite, and the Prettier code formatter.
– One critical vulnerability (CVE-2025-34026) is an authentication bypass in Versa’s SD-WAN platform, caused by a misconfigured reverse proxy exposing sensitive administrative endpoints.
– A high-severity supply-chain vulnerability (CVE-2025-54313) affected the ‘eslint-config-prettier’ package, where malicious versions were published to npm to steal authentication tokens.
– Another high-severity flaw (CVE-2025-68645) is a local file inclusion vulnerability in Zimbra Collaboration Suite, allowing unauthenticated attackers to read arbitrary files from the server.
– Federal agencies are required to patch these vulnerabilities or apply mitigations by February 12, 2026, though details on the exploitation and ransomware use remain unknown.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding four software vulnerabilities that are currently under active attack. These security flaws impact widely used enterprise tools from Versa and Zimbra, as well as the popular Vite framework and Prettier code formatter. By adding these issues to its Known Exploited Vulnerabilities (KEV) catalog, CISA confirms that malicious actors are actively leveraging them in real-world attacks, necessitating immediate action from affected organizations.
One of the listed flaws is CVE-2025-31125, a high-severity improper access control vulnerability in the Vite frontend tooling framework. Disclosed in March of last year, this bug can allow unauthorized access to files when a development server instance is explicitly exposed to a network. The issue has been addressed in patched versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
A second critical vulnerability now under exploitation is CVE-2025-34026. This flaw is an authentication bypass in the Versa Concerto SD-WAN orchestration platform, stemming from a misconfigured Traefik reverse proxy. The misconfiguration permits access to sensitive administrative endpoints, including an internal Actuator endpoint that can expose heap dumps and system trace logs. The affected products include Concerto versions 12.1.2 through 12.2.0, though other versions may also be vulnerable. Cybersecurity firm ProjectDiscovery reported the issues to Versa in February 2025, and the vendor confirmed implementing fixes by March 7, 2025.
CISA also flagged CVE-2025-54313 as being actively leveraged. This high-severity issue involves a supply-chain compromise of the ‘eslint-config-prettier’ package, which helps resolve conflicts between the ESLint code linter and the Prettier formatter. In a July 2024 incident, attackers hijacked this and other JavaScript libraries, publishing malicious versions to the npm registry. Installing compromised packages (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) would execute a malicious script designed to steal npm authentication tokens from Windows systems.
The fourth vulnerability is CVE-2025-68645, a local file inclusion flaw in the Webmail Classic UI of Zimbra Collaboration Suite versions 10.0 and 10.1. Disclosed in December 2025, this bug results from improper handling of user-supplied parameters in the RestFilter servlet. It allows an unauthenticated attacker to exploit a specific endpoint to include arbitrary files from the WebRoot directory.
In response to these active threats, CISA has mandated that all federal agencies bound by Binding Operational Directive 22-01 must apply available security patches, implement vendor-recommended mitigations, or discontinue use of the affected products by February 12, 2026. The agency has not provided specific details on the nature of the ongoing exploitation campaigns, and the potential use of these flaws in ransomware attacks is currently listed as unknown.
(Source: Bleeping Computer)
