CISA’s Urgent Call: Four Enterprise Flaws Under Siege by Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four high-profile vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in real-world attacks. Announced on January 22, 2026, the flaws strike at enterprise networking giant Versa, email platform Zimbra, and popular open-source developer tools Vite and Prettier. Federal agencies face a strict deadline of February 12, 2026, to patch or retire affected systems under Binding Operational Directive 22-01, with CISA urging all organizations to prioritize remediation.

These vulnerabilities span networking orchestration, email servers, and JavaScript development workflows, exposing companies to unauthorized access, file disclosures, and malware deployment. CISA’s KEV listing confirms evidence of malicious use but withholds specifics on attackers or ransomware ties, marking their status as ‘unknown.’ The move underscores persistent delays in patching, even for flaws disclosed months or years prior. CISA warns that such flaws serve as frequent vectors for cyber actors targeting federal and private networks alike.

Vulnerabilities Span Critical Enterprise Tools

First up is CVE-2025-31125, a high-severity improper access control issue in Vite, a widely used frontend tooling framework for JavaScript applications. Rated 7.5 on the CVSS v3.1 scale by NIST, the flaw allows attackers to expose contents of arbitrary non-allowed files via query parameters like ?inline&import or ?raw&import. It impacts dev servers explicitly exposed to networks via –host or server.host settings, affecting versions up to but excluding 4.5.11, 5.4.16, 6.0.13, 6.1.3, and 6.2.4. Patched in March 2025, exploitation persists on unupdated instances. NIST NVD details confirm its addition to KEV on January 22, 2026.

Versa Networks faces dual threats. CVE-2025-34026, a critical authentication bypass in the Concerto SD-WAN orchestration platform, stems from a Traefik reverse proxy misconfiguration. CVSS 4.0 scores it 9.2, enabling unauthenticated access to admin endpoints, including the Spring Boot Actuator for heap dumps and trace logs. It hits versions 12.1.2 through 12.2.0 and potentially others from 11.4.0. Discovered by ProjectDiscovery researchers and reported February 13, 2025, Versa issued hotfixes by March 7, 2025, and a general release April 16. A Versa spokesperson told BleepingComputer the fixes were validated and customers notified, though communication lapsed post-disclosure.

Supply Chain Menace Hits Developer Dependencies

CVE-2025-54313 represents a brazen npm supply-chain compromise in the eslint-config-prettier package, used to resolve conflicts between ESLint and Prettier code formatters. Affected versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 embed malicious code via a postinstall script, install.js, that deploys node-gyp.dll malware on Windows to steal npm tokens. The July 2025 attack followed phishing that snared maintainer JounQin’s credentials via a fake npmjs.com site. With over 30 million weekly downloads, the package’s reach amplifies risks in dev pipelines. NIST NVD and BleepingComputer trace the chain to related hijacks like eslint-plugin-prettier and synckit.

The fourth flaw, CVE-2025-68645, plagues Synacor Zimbra Collaboration Suite’s Webmail Classic UI in versions 10.0.0 to below 10.0.18 and 10.1.0 to below 10.1.13. This local file inclusion bug, CVSS 8.8, arises from flawed handling of user-supplied parameters in the RestFilter servlet, letting unauthenticated foes craft /h/rest requests to snag WebRoot files. Disclosed December 22, 2025, Zimbra patched in releases like 10.1.13. Public PoCs emerged swiftly, per GitHub repos. NIST NVD notes its KEV status.

Federal Mandates Drive Swift Action

CISA’s BOD 22-01 mandates Federal Civilian Executive Branch agencies remediate KEV entries promptly, prioritizing them over raw CVSS scores. Private firms, while not bound, face identical threats from nation-states and criminals scanning internet-facing assets. Versa Concerto, for instance, drew prior scrutiny from China-linked Volt Typhoon via CVE-2024-39717. Vite exposures often stem from misconfigured dev servers in CI/CD or staging environments left public.

Exploitation details remain guarded, but patterns emerge: PoCs for Vite (e.g., GitHub’s 0xgh057r3c0n repo) and Zimbra fuel scans, while Versa’s proxy flaws echo common misconfigs. Prettier’s malware targets Windows CI runners, per Socket.dev analysis. No confirmed ransomware links, but KEV history shows such escalations. Organizations must inventory exposures, apply patches—Vite to 6.2.4P or later, Versa hotfixes, avoid tainted npm versions, Zimbra to 10.1.13—and monitor logs for anomalous access.

Broader Ramifications for Enterprise Defenses

This cluster highlights supply-chain fragility, from npm phishing to proxy errors in enterprise stacks. Versa confirmed no wild exploits at disclosure, yet CISA’s evidence proves otherwise. Developers face npm hygiene imperatives: lockfiles, sigstore verification, and tools like Socket or Endor Labs for scanning. Network teams must audit SD-WAN exposures, restricting dev servers and endpoints.

As KEV swells past 1,400 entries, patching lags—50% of criticals unremediated after 55 days, per prior reports—fuel breaches. CISA’s catalog, born from 2021 directives, evolves via vendor and researcher tips, demanding vigilant vulnerability management beyond scores.