CISA confirms active exploitation of four enterprise software bugs

The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. warned of active exploitation of four vulnerabilities impacting enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter.

The security issues have been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog, indicating that the agency has evidence that hackers are exploiting them in the wild.

One of the vulnerabilities is CVE-2025-31125, a high-severity improper access control issue disclosed in March last year that can be exploited to expose non-allowed files when the server is explicitly exposed to the network.

The issue affects only exposed dev instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

Another bug CISA marked as exploited is CVE-2025-34026, a critical-severity authentication bypass in the Versa Concerto SD-WAN orchestration platform disclosed in May 2025. It is caused by a Traefik reverse proxy misconfiguration that allows access to administrative endpoints, including the internal Actuator endpoint, exposing heap dumps and trace logs.

Affected products are Concerto 12.1.2 through 12.2.0, although additional versions may also be impacted.

Researchers at cybersecurity company ProjectDiscovery reported the issues to the vendor on February 13, 2025, and Versa Concerto confirmed to BleepingComputer that they had fixed them on March 7, 2025.

The US cybersecurity agency also lists CVE-2025-54313 as leveraged in attacks, a high-severity vulnerability due to supply-chain compromise affecting the eslint-config-prettier package for resolving conflicts between code linter ESLint and the Prettier code formatter.

In July last year, hackers hijacked several popular JavaScript libraries, ‘eslint-config-prettier’ among them, and published on npm versions embedded with malicious code.

Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) would run a malicious install.js script that launched the node-gyp.dll payload on Windows to steal npm authentication tokens.

CISA also warned of CVE-2025-68645 being exploited. The vulnerability was disclosed on December 22, 2025, and is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1.

The bug is caused by improper handling of user-supplied parameters in the RestFilter servlet. An unauthenticated attacker can exploit the /h/rest endpoint to include arbitrary files from the WebRoot directory.

CISA now requires all federal agencies bound by the BOD 22-01 directive to apply available security updates or vendor-suggested mitigations, or to stop using the products by February 12, 2026.

The agency has not shared any details about the exploitation activity, and the status of the flaws’ use in ransomware attacks was marked as ‘unknown.’

7 Security Best Practices for MCP

As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.

This free cheat sheet outlines 7 best practices you can start using today.

Download Now