The U.S. Cybersecurity and Infrastructure Security Agency added four vulnerabilities to its Known Exploited Vulnerabilities catalog on January 22, 2026, confirming hackers are actively exploiting flaws in enterprise tools from Versa Networks, Synacor Zimbra, Vite and the Prettier code formatter. Federal agencies must remediate by February 12, 2026, under Binding Operational Directive 22-01, or discontinue use of affected products.

CISA’s move signals real-world attacks but shares no specifics on threat actors or ransomware links, marking their status as ‘unknown.’ The flaws span SD-WAN orchestration, email servers and developer workflows, highlighting risks from misconfigurations, supply-chain hijacks and improper input handling. While patches exist for most, persistent exploitation underscores patching delays.

CISA’s Exploitation Evidence Mounts

The KEV catalog lists vulnerabilities with ‘reliable evidence’ of wild exploitation, prioritizing them for federal networks. ‘These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,’ CISA stated in its alert. Agencies face remediation deadlines, with CISA urging all organizations to prioritize KEV entries in vulnerability management.

BleepingComputer first reported the additions, noting the flaws impact ‘enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter’ in its January 23 article. NIST’s National Vulnerability Database updated entries post-KEV listing, confirming CVSS scores and patches.

Vite Dev Servers Leak Files

CVE-2025-31125, rated 7.5 high on CVSS v3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), affects Vite versions prior to 4.5.11, 5.4.16, 6.0.13, 6.1.3 and 6.2.4. ‘Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network are affected,’ per NIST’s NVD entry. Disclosed March 2025, it bypasses server.fs.deny via WASM import path traversal.

Public proof-of-concepts exist, including a GitHub repo by 0xgh057r3c0n demonstrating file reads like /etc/passwd on exposed dev servers. GitHub tagged its advisory with ‘Exploit,’ and CISA requires mitigations by February 12. DevOps teams running vite –host face elevated risks if unpatched.

Versa SD-WAN Auth Bypass Opens Doors

CVE-2025-34026 earns a critical CVSS 4.0 score of 9.2 from VulnCheck. It stems from Traefik reverse proxy misconfiguration in Versa Concerto SD-WAN versions 12.1.2 through 12.2.0 and potentially from 11.4.0. Attackers suppress X-Real-IP headers to access admin endpoints, including Spring Boot Actuator for heap dumps and logs, per NIST’s profile.

ProjectDiscovery disclosed it February 13, 2025, after Versa fixed by March 7 per hotfix. A Versa spokesperson told BleepingComputer: ‘We developed and validated fixes, which were completed on March 7, 2025, and the hotfix made available to customers.’ Yet CISA’s KEV entry proves ongoing exploits despite patches, as detailed in ProjectDiscovery’s blog and BleepingComputer’s coverage.

Prettier npm Hijack Steals Tokens

CVE-2025-54313 (CVSS 3.1 7.5) marks a supply-chain attack on eslint-config-prettier packages 8.10.1, 9.1.1, 10.1.6 and 10.1.7. Phishing snared maintainer JounQin’s npm token, embedding malware in install.js that runs node-gyp.dll on Windows to steal credentials, as BleepingComputer explained in its report.

‘It’s this phishing email,’ JounQin posted on GitHub. NIST’s entry lists affected variants like eslint-plugin-prettier 4.2.2-4.2.3. Deprecated on npm, users must audit lockfiles and rotate secrets. CISA flags it for its scope in JavaScript ecosystems.

Zimbra LFI Exposes WebRoot

CVE-2025-68645 (CVSS 3.1 8.8 high) hits Zimbra Collaboration Suite 10.0.0 to <10.0.18 and 10.1.0 to <10.1.13. An unauthenticated attacker crafts /h/rest requests via RestFilter servlet flaws to include WebRoot files, per NIST's details and Zimbra’s Security Center.

Disclosed December 22, 2025, public PoCs emerged on GitHub, including MaxMnMl’s exploit for sensitive file reads. Zimbra patched in 10.0.18 and 10.1.13 by November 2025, addressing the LFI and related issues like stored XSS.

Federal Mandates Drive Action

BOD 22-01 binds Federal Civilian Executive Branch agencies to KEV timelines: ‘Remediate identified vulnerabilities by the due date to protect FCEB networks against active threats,’ CISA notes. Private sectors gain from the signal, as WebProNews observed in its analysis: ‘Enterprises urged to patch immediately against auth bypasses and supply-chain risks.’

Vendors like Versa notified customers via portals, but delays in broad adoption enable exploits. The Hacker News covered the KEV update, emphasizing developer tool risks in its post.

Enterprise Defenses Evolve

Organizations scan for exposed Vite (–host), audit npm deps for malicious versions, segment Versa instances and harden Zimbra endpoints. Tools like Nuclei templates detect these, as ProjectDiscovery aids via CVEmap for KEV PoCs. CISA’s catalog now pressures vendors and users alike amid rising supply-chain threats.

With no public attacker attribution, defenses focus on rapid patching. Versa’s fixes predated KEV by months, yet exploitation persists, per CISA evidence. Prettier’s phishing underscores token hygiene imperatives.