Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with four dangerous new entries, signaling that hackers are actively weaponizing flaws in widely used developer tools and enterprise platforms. This latest batch of vulnerabilities spans the spectrum from supply chain compromises to authentication bypasses.
Topping the list in severity is a critical authentication bypass in Versa Concerto (CVE-2025-34026), a popular SD-WAN orchestration platform. With a CVSS score of 9.2, this vulnerability allows attackers to completely bypass login screens due to a misconfiguration in the Traefik reverse proxy.
Once past the gates, attackers gain access to sensitive administrative endpoints. “The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs,” effectively handing over the keys to the kingdom. The flaw affects versions 12.1.2 through 12.2.0.
CISA has flagged a malicious code injection (CVE-2025-54313) in eslint-config-prettier, a tool used by millions of developers to format code. Specific versions (8.10.1, 9.1.1, 10.1.6, and 10.1.7) were found to contain embedded malware.
The attack is deceptively simple: “Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows”. This turns a routine developer task—installing a package—into a system compromise.
Email infrastructure remains a prime target. A high-severity Local File Inclusion (LFI) vulnerability (CVE-2025-68645) has been found in the Synacor Zimbra Collaboration Suite (ZCS). Affecting versions 10.0 and 10.1, the flaw lies in the Webmail Classic UI.
“An unauthenticated remote attacker can craft requests… allowing inclusion of arbitrary files from the WebRoot directory,” reads the CVE record. Rated with a CVSS score of 8.8, this flaw gives attackers a window to manipulate internal requests without ever logging in.
Rounding out the list is an improper access control vulnerability (CVE-2025-31125) in Vite, a frontend build tool. While carrying a lower CVSS score of 5.3, it poses a specific risk to development environments exposed to the network.
The flaw allows the “contents of arbitrary files” to be returned to the browser if the dev server is configured to be accessible externally. Attackers can exploit this using manipulated URL parameters like ?raw&import to read files they should not see.
Federal agencies have been given a strict deadline of February 12, 2026, to patch these systems, but private organizations are urged to act immediately.
Related Posts:
- Unpatched 0-Days (CVSS 10): Versa Concerto Flaws Threaten Enterprise Networks
- CVE-2025-23171 & CVE-2025-23172: Versa Director Bugs Open Doors to Webshell Uploads and Command Execution
- Critical Versa Director Flaw (CVSS 9.8): Hardcoded Credentials Grant Root Access, PoC Available
- Critical Versa Director Flaw: RCE Possible via HA Ports, PoC Available
- CVE-2024-42450 (CVSS 10): Versa Networks Addresses Critical Vulnerability in Versa Director
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
