CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with four new vulnerabilities that are being actively exploited in the wild. The vulnerabilities affect Synacor Zimbra Collaboration Suite, Versa Concerto SD-WAN, Vite Vitejs, and eslint-config-prettier. Federal agencies are required to apply patches by February 12, 2026. The vulnerabilities include a PHP remote file inclusion flaw, an authentication bypass, an improper access control issue, and a supply chain attack involving malicious code execution. Exploitation of one of the vulnerabilities, CVE-2025-68645, has been ongoing since January 14, 2026. CVE-2025-31125 affects only exposed dev instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. CVE-2025-34026 is caused by a Traefik reverse proxy misconfiguration that allows access to administrative endpoints, including the internal Actuator endpoint, exposing heap dumps and trace logs. Affected products for CVE-2025-34026 are Concerto 12.1.2 through 12.2.0, although additional versions may also be impacted. Researchers at cybersecurity company ProjectDiscovery reported the issues to the vendor on February 13, 2025, and Versa Concerto confirmed to BleepingComputer that they had fixed them on March 7, 2025. Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) for CVE-2025-54313 would run a malicious install.js script that launched the node-gyp.dll payload on Windows to steal npm authentication tokens. CVE-2025-68645 is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1 caused by improper handling of user-supplied parameters in the RestFilter servlet.

Timeline

  1. 23.01.2026 17:24 2 articles · 1d ago

    CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

    CISA has updated its KEV catalog with four new vulnerabilities that are being actively exploited. The vulnerabilities affect Synacor Zimbra Collaboration Suite, Versa Concerto SD-WAN, Vite Vitejs, and eslint-config-prettier. Exploitation of CVE-2025-68645 has been ongoing since January 14, 2026, and federal agencies must apply patches by February 12, 2026. CVE-2025-31125 affects only exposed dev instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. CVE-2025-34026 is caused by a Traefik reverse proxy misconfiguration that allows access to administrative endpoints, including the internal Actuator endpoint, exposing heap dumps and trace logs. Affected products for CVE-2025-34026 are Concerto 12.1.2 through 12.2.0, although additional versions may also be impacted. Researchers at cybersecurity company ProjectDiscovery reported the issues to the vendor on February 13, 2025, and Versa Concerto confirmed to BleepingComputer that they had fixed them on March 7, 2025. Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) for CVE-2025-54313 would run a malicious install.js script that launched the node-gyp.dll payload on Windows to steal npm authentication tokens. CVE-2025-68645 is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1 caused by improper handling of user-supplied parameters in the RestFilter servlet.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

TARmageddon Vulnerability in Async-Tar and Tokio-Tar Libraries

A high-severity vulnerability dubbed TARmageddon (CVE-2025-62518) affects the async-tar Rust library and its forks, including tokio-tar. This flaw can enable remote code execution through file overwriting attacks. The issue stems from inconsistent handling of PAX and ustar headers, allowing attackers to smuggle additional archive entries. The vulnerability impacts several widely-used projects, such as testcontainers, wasmCloud, Binstalk, Astral's uv Python package manager, and liboxen. Users of tokio-tar are advised to migrate to astral-tokio-tar version 0.5.6 or later to remediate the flaw. The flaw was discovered in late August 2025 by Edera and disclosed publicly on October 22, 2025. The widespread use of tokio-tar makes it difficult to quantify the full impact of this vulnerability, and some affected projects have yet to respond to the disclosure.

Open in new tab

SAP S/4HANA Command Injection Vulnerability CVE-2025-42957 Exploited in the Wild

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA. The flaw was patched in SAP's August 2025 updates, but exploitation has been observed. SecurityBridge Threat Research Labs, BleepingComputer, and Pathlock have reported active exploitation. Organizations are advised to apply patches, monitor logs for suspicious RFC calls or new admin users, implement SAP's Unified Connectivity framework (UCON) to restrict RFC usage, and take additional security measures to mitigate the risk.

Open in new tab

Multiple vulnerabilities in Citrix and Git added to CISA KEV catalog

CISA has added multiple vulnerabilities to its KEV catalog due to active exploitation. The flaws affect Citrix Session Recording, Git, and Citrix NetScaler ADC and NetScaler Gateway. The Citrix Session Recording vulnerabilities were patched in November 2024, the Git flaw was addressed in July 2025, and the NetScaler vulnerabilities were patched in August 2025. Federal agencies must apply mitigations by September 15, 2025, for the earlier vulnerabilities and within 48 hours for the NetScaler vulnerabilities. The vulnerabilities are CVE-2024-8068, CVE-2024-8069, CVE-2025-48384, CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. The first two affect Citrix Session Recording, the third affects Git, and the last three affect Citrix NetScaler ADC and NetScaler Gateway. CVE-2025-48384 is an arbitrary file write vulnerability in Git due to inconsistent handling of carriage return characters in configuration files. The vulnerability affects macOS and Linux systems, with Windows systems being immune due to differences in control character usage. The flaw was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. The vulnerability impacts software developers using Git on workstations and CI/CD build systems. CVE-2025-7775 is a memory overflow vulnerability leading to remote code execution and/or denial-of-service. CVE-2025-7776 is a memory overflow vulnerability leading to unpredictable behavior and denial-of-service. CVE-2025-8424 is an improper access control vulnerability in the NetScaler Management Interface. CVE-2025-7775 has been actively exploited in the wild and was added to the CISA KEV catalog on August 26, 2025, requiring federal agencies to remediate within 48 hours. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.

Open in new tab

Critical RADIUS Authentication Flaw in Cisco Secure Firewall Management Center

Cisco has disclosed and patched a critical vulnerability in the RADIUS subsystem of Secure Firewall Management Center (FMC) Software. The flaw, CVE-2025-20265, allows unauthenticated, remote attackers to execute arbitrary shell commands on affected systems. This vulnerability affects FMC Software versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled for web-based management or SSH. The issue arises from improper handling of user input during the authentication phase, enabling attackers to inject malicious commands. Successful exploitation can lead to high-privilege command execution. There are no workarounds other than applying the provided patches. The flaw was discovered by Brandon Sakai during internal security testing. Cisco has also resolved several high-severity bugs in various products.

Open in new tab