The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of four vulnerabilities impacting enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter. These security issues have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
One identified vulnerability is CVE-2025-31125, a high-severity improper access control flaw in Vite. Disclosed in March 2024, it can expose non-allowed files when a development server is explicitly exposed to the network. This issue primarily affects exposed development instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Another vulnerability is CVE-2025-34026, a critical-severity authentication bypass in the Versa Concerto SD-WAN orchestration platform. Disclosed in May 2025, it stems from a Traefik reverse proxy misconfiguration that grants access to administrative endpoints, including the internal Actuator endpoint, which can expose heap dumps and trace logs. Affected products include Concerto versions 12.1.2 through 12.2.0, with other versions potentially impacted. ProjectDiscovery researchers reported these issues on February 13, 2025, and Versa Concerto confirmed fixes by March 7, 2025.
CISA also listed CVE-2025-54313 as exploited, a high-severity vulnerability resulting from a supply-chain compromise affecting the eslint-config-prettier package. In July 2024, hackers hijacked several JavaScript libraries, including 'eslint-config-prettier', embedding malicious code into published versions. Installing affected packages (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) would execute a malicious install.js script, launching a node-gyp.dll payload on Windows to steal npm authentication tokens.
Finally, CVE-2025-68645 is being exploited. Disclosed on December 22, 2025, this is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite versions 10.0 and 10.1. Improper handling of user-supplied parameters in the RestFilter servlet allows an unauthenticated attacker to exploit the /h/rest endpoint to include arbitrary files from the WebRoot directory.
CISA now mandates that all federal agencies covered by the BOD 22-01 directive apply available security updates or vendor-suggested mitigations, or cease using the affected products by February 12, 2026. The agency has not released specific details about the exploitation activity, and the status regarding the flaws' use in ransomware attacks remains unknown.