CISA Drops Four Nasty Zero-Days into KEV Catalog – Patch Now or Pay Later
Hey devs, CISA just slapped four actively exploited vulnerabilities onto their Known Exploited Vulnerabilities (KEV) catalog, confirming hackers are already pounding them in the wild. Federal agencies have until February 12 to patch, but if you’re running this stuff, you’re on the clock too.
The Nitty-Gritty Details
Here’s the hit list of these bad boys:
- CVE-2025-68645 (CVSS 8.8): PHP remote file inclusion in Synacor Zimbra Collaboration Suite. Attackers hit the “/h/rest” endpoint to snag arbitrary files from the web root—no auth needed. Fixed in Zimbra 10.1.13 back in November 2025. Exploitation’s been raging since January 14.
- CVE-2025-34026 (CVSS 9.2): Auth bypass in Versa Concerto SD-WAN orchestration platform, letting baddies into admin endpoints. Patched in version 12.2.1 GA last April.
- CVE-2025-31125 (CVSS 5.3): Improper access control in Vite (that’s vitejs for you frontend folks), spilling arbitrary file contents to browsers.
- CVE-2025-54313: Sneaky supply chain attack on npm packages like eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is. Phishers tricked maintainers into handing over creds via fake email verification links, then dropped trojanized versions in July 2025.
These aren’t hypotheticals—CISA’s BOD 22-01 makes patching mandatory for feds, but real-world exploits mean everyone’s at risk.
So What? Why Devs Should Sweat This
If you’re slinging Zimbra for email collab, Versa for SD-WAN, Vite for your builds, or any of those npm prettifiers in your stack, assume you’re targeted. Supply chain hits like CVE-2025-54313 show how a quick npm install can backdoor your whole project. One unpatched flaw, and boom—RCE, data leaks, or worse. Prioritize your dep scans, lock down endpoints, and audit those third-party tools yesterday.
Final Take
2026’s barely started, and the exploit train’s already full throttle. Patch these CVEs, harden your pipelines, and stay vigilant—cyber’s a battlefield, not a playground.
