CISA confirms active exploitation of four enterprise software bugs

News

Featured
Latest

Curl ending bug bounty program after flood of AI slop reports

INC ransomware opsec fail allowed data recovery for 12 US orgs

Cisco fixes Unified Communications RCE zero day exploited in attacks

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

Malicious AI extensions on VSCode Marketplace steal developer data

CISA confirms active exploitation of four enterprise software bugs

US to deport Venezuelans who emptied bank ATMs using malware

Hackers exploit critical telnetd auth bypass flaw to get root

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityCISA confirms active exploitation of four enterprise software bugs

CISA confirms active exploitation of four enterprise software bugs

By Bill Toulas

January 23, 2026
01:47 PM
0

The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. warned of active exploitation of four vulnerabilities impacting enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter.
The security issues have been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog, indicating that the agency has evidence that hackers are exploiting them in the wild.
One of the vulnerabilities is CVE-2025-31125, a high-severity improper access control issue disclosed in March last year that can be exploited to expose non-allowed files when the server is explicitly exposed to the network.

The issue affects only exposed dev instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Another bug CISA marked as exploited is CVE-2025-34026, a critical-severity authentication bypass in the Versa Concerto SD-WAN orchestration platform disclosed in May 2025. It is caused by a Traefik reverse proxy misconfiguration that allows access to administrative endpoints, including the internal Actuator endpoint, exposing heap dumps and trace logs.
Affected products are Concerto 12.1.2 through 12.2.0, although additional versions may also be impacted.
Researchers at cybersecurity company ProjectDiscovery reported the issues to the vendor on February 13, 2025, and Versa Concerto confirmed to BleepingComputer that they had fixed them on March 7, 2025.
The US cybersecurity agency also lists CVE-2025-54313 as leveraged in attacks, a high-severity vulnerability due to supply-chain compromise affecting the eslint-config-prettier package for resolving conflicts between code linter ESLint and the Prettier code formatter.
In July last year, hackers hijacked several popular JavaScript libraries, 'eslint-config-prettier' among them, and published on npm versions embedded with malicious code.
Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) would run a malicious install.js script that launched the node-gyp.dll payload on Windows to steal npm authentication tokens.
CISA also warned of CVE-2025-68645 being exploited. The vulnerability was disclosed on December 22, 2025, and is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1.
The bug is caused by improper handling of user-supplied parameters in the RestFilter servlet. An unauthenticated attacker can exploit the /h/rest endpoint to include arbitrary files from the WebRoot directory.
CISA now requires all federal agencies bound by the BOD 22-01 directive to apply available security updates or vendor-suggested mitigations, or to stop using the products by February 12, 2026.
The agency has not shared any details about the exploitation activity, and the status of the flaws’ use in ransomware attacks was marked as ‘unknown.’

The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Download Now

Related Articles:
CISA retires 10 emergency cyber orders in rare bulk closureHackers exploit critical telnetd auth bypass flaw to get rootSmarterMail auth bypass flaw now exploited to hijack admin accountsCisco fixes Unified Communications RCE zero day exploited in attacksHackers exploit Modular DS WordPress plugin flaw for admin access

Actively Exploited
CISA
KEV
Known Exploited Vulnerability Catalog
Versa Concerto
Vite
Vulnerability
Zimbra Collaboration

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers breach Fortinet FortiGate devices, steal firewall configs

Zendesk ticket systems hijacked in massive global spam wave

Sponsor Posts

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Overdue a password health-check? Audit your Active Directory for free

Discover how phishing kits are sold and deployed. Download the full research report.

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

CISA has issued an alert regarding the active exploitation of four distinct enterprise software vulnerabilities, representing a significant escalation in cybersecurity risk. The agency’s Known Exploited Vulnerabilities (KEV) catalog now lists these issues, confirming that threat actors are actively leveraging them. The affected software includes Versa Concerto SD-WAN orchestration platform, the Vite frontend tooling framework, and Zimbra Collaboration Suite. The vulnerabilities range in severity, with some classified as high and others as critical, reflecting the potential impact on organizations.

Specifically, CISA identified CVE-2025-31125, a previously disclosed improper access control flaw in the Versa Concerto platform. This vulnerability allowed attackers to expose non-authorized files when the server was exposed to the network. This issue was limited to exposed development instances and was patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. The rapid addition of this CVE to the KEV catalog underscores the urgency of addressing known weaknesses.

Another critical vulnerability, CVE-2025-34026, targeted the Versa Concerto platform as well, this time an authentication bypass within the orchestration platform. This flaw, caused by misconfiguration of Traefik reverse proxy, granted unauthorized access to administrative endpoints, including the internal Actuator endpoint. This endpoint exposed heap dumps and trace logs, potentially facilitating in-depth analysis of the system. The affected products were Concerto 12.1.2 through 12.2.0, though the potential for additional impacted versions exists.

The vulnerabilities weren’t isolated to Versa. ProjectDiscovery researchers reported the issues to Versa on February 13, 2025, prompting a rapid response. Versa Concerto confirmed the fixes on March 7, 2025. Further adding to the risk, CISA identified CVE-2025-54313 as being exploited. This vulnerability stemmed from a supply-chain compromise affecting the eslint-config-prettier package, a tool resolving conflicts between the ESLint code linter and the Prettier code formatter. Attackers hijacked popular JavaScript libraries and published malicious npm versions containing embedded code. Installation of affected versions (8.10.1, 9.1.1, 10.1.6, and 10.1.7) executed a malicious install.js script, launching the node-gyp.dll payload on Windows to steal npm authentication tokens.

Finally, CISA highlighted CVE-2025-68645, a local file inclusion vulnerability within the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1. This vulnerability, caused by improper handling of user-supplied parameters in the RestFilter servlet, allowed unauthenticated attackers to include arbitrary files from the WebRoot directory. Specifically, the /h/rest endpoint could be exploited to access these files.

Due to the confirmed exploitation, CISA has mandated that all federal agencies bound by the BOD 22-01 directive implement available security updates or vendor-suggested mitigations, or cease using the affected products by February 12, 2026. The agency hasn't disclosed details of the exploitation activity, nor has it indicated whether the vulnerabilities were utilized in ransomware attacks. The current status is simply marked as ‘unknown,’ compounding the concern. The rapid addition to the KEV catalog suggests a heightened threat landscape and a critical need for immediate remediation across organizations utilizing these systems.