Back
Technology

CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog

Generated on: Last updated: 2 sources
View source

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent warnings regarding the active exploitation of eight significant security flaws across various enterprise and consumer software. These vulnerabilities, impacting products from Versa, Zimbra, Vite, Google Chrome, TeamT5, and Microsoft Windows, have been promptly added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

The KEV catalog is a critical resource for federal agencies, highlighting vulnerabilities that are actively being leveraged by malicious actors and demanding immediate attention. The addition of these eight flaws underscores their paramount security relevance.

Details of Actively Exploited Vulnerabilities

CISA's latest update details the following critical vulnerabilities:

CVE-2025-31125 (Vite)
  • High-severity improper access control flaw, disclosed in March 2024.
  • This vulnerability can expose non-allowed files when a development server is explicitly exposed to a network.
  • Primarily affects exposed development instances and has been patched in Vite versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
CVE-2025-34026 (Versa Concerto SD-WAN orchestration platform)
  • A critical-severity authentication bypass, disclosed in May 2025.
  • The flaw originates from a Traefik reverse proxy misconfiguration, which grants unauthorized access to administrative endpoints, including the internal Actuator endpoint.
  • This can lead to the exposure of heap dumps and trace logs.
  • Affected products include Concerto versions 12.1.2 through 12.2.0, with other versions potentially impacted. ProjectDiscovery researchers reported these issues on February 13, 2025, and Versa Concerto confirmed fixes by March 7, 2025.
CVE-2025-54313 (eslint-config-prettier package)
  • A high-severity vulnerability stemming from a supply-chain compromise.
  • In July 2024, several JavaScript libraries, including 'eslint-config-prettier', were compromised with malicious code embedded into their published versions.
  • Installation of affected packages (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) would execute a malicious install.js script, launching a node-gyp.dll payload on Windows systems designed to steal npm authentication tokens.
CVE-2025-68645 (Zimbra Collaboration Suite - Webmail Classic UI)
  • A local file inclusion vulnerability disclosed on December 22, 2025.
  • Improper handling of user-supplied parameters in the RestFilter servlet allows an unauthenticated attacker to exploit the /h/rest endpoint.
  • This enables the inclusion of arbitrary files from the WebRoot directory.
  • This affects Zimbra Collaboration Suite versions 10.0 and 10.1.
CVE-2026-2441 (Google Chrome)
  • A use-after-free vulnerability with a CVSS score of 8.8.
  • This flaw could allow a remote attacker to exploit heap corruption using a crafted HTML page.
  • Google has confirmed the existence of an exploit in the wild, though specific weaponization details are currently undisclosed.
CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware)
  • An arbitrary file upload vulnerability with a CVSS score of 7.2.
  • Affects versions 3.4.5 and earlier.
  • This flaw could enable an attacker to upload malicious files and achieve arbitrary system command execution on the server. Specific details regarding its exploitation are presently unclear.
CVE-2020-7796 (Synacor Zimbra Collaboration Suite - ZCS)
  • A server-side request forgery (SSRF) vulnerability with a CVSS score of 9.8.
  • This flaw could allow an attacker to send a crafted HTTP request to a remote host, potentially leading to unauthorized access to sensitive information.
  • A report from March 2025 by GreyNoise indicated active exploitation by approximately 400 IP addresses targeting instances in countries including the U.S., Germany, and Japan.
CVE-2008-0015 (Microsoft Windows Video ActiveX Control)
  • A stack-based buffer overflow vulnerability with a CVSS score of 8.8.
  • This could allow remote code execution if an attacker establishes a specially crafted web page.
  • Microsoft has noted instances where this exploit is used to download and execute malware such as the Dogkild worm.
  • The Dogkild worm is capable of retrieving and running additional binaries, overwriting system files, terminating security-related processes, and modifying the Windows Hosts file to block access to security websites.

Directives for Federal Agencies

CISA mandates that all federal agencies covered by the BOD 22-01 directive must apply available security updates or vendor-suggested mitigations, or cease using the affected products, by February 12, 2026. Separately, Federal Civilian Executive Branch (FCEB) agencies are advised to implement necessary fixes for these vulnerabilities by March 10, 2026.

Additional Context

CISA has not released specific details about the ongoing exploitation activity for all vulnerabilities. The status regarding the flaws' use in ransomware attacks remains unknown for some of the listed CVEs.