CISA KEV alert: four already exploited failures that require immediate patch before 12 February 2026

The American Agency CISA has included four security failures in its catalogue of known and exploited vulnerabilities (KEV), which is equivalent to an urgent warning: there is evidence that attackers are already taking advantage of them in real environments. These vulnerabilities affect parts very different from the software ecosystem: from web development tools to business platforms and JavaScript supply chain packages.

When CISA adds an error to KEV, it recommends that organizations act immediately. For the U.S. federal agencies. The United States, subject to the BOD 22-01 directive, requires the application of patches or mitigations, or the cessation of the use of the products concerned, before 12 February 2026; the other organisations should take the same emergency threshold for caution. More information on the directive is available on the CISA website in its section on BOD 22-01: https: / / www.cisa.gov / binding-operational-directive-2201.

The first relevant case is an access control failure in the front Vite tool, registered as CVE-2025-31125. This vulnerability, initially reported in March last year, allows an attacker to access files that should be prohibited when an instance of development is exposed to the public network. In practice, the most common risk occurs when development servers are published without appropriate restrictions; patches are available in specific versions (e.g., 6.2.4, 6.1.3, 6.0.13, 5.4.16 and 4.5.11), so it is important to update the affected entities or to ensure that they are not accessible from the Internet.

The second case draws attention to the type of impact: CVE-2025-34026 is a critical vulnerability of authentication omission on the SD-WAN orchestration platform of Versa Concerto. The problem comes from a missetting of the reverse proxy (Traefik) that makes internal administrative endpoints - including the Actuator interface - accessible and thus exposes heavy-duty memory spins and trace records. Although CISA identified the Concerto 12.1.2 to 12.2.0 versions as affected, it is prudent to review other branches of the product. External researchers (including ProjectDiscovery) reported the errors to the manufacturer and Versa published corrections; additional information on the researchers can be found at Project and in specialized media such as BleepingComputer, which covered the reporting process and the supplier's response.

The third problem is part of a pattern that repeats an old fear of modern organizations: the verification of the supply chain. The entrance CVE-2025-54313 is related to the package eslint-config-prettier, used to resolve conflicts between ESLint and Prettier. In July of the previous year some popular JavaScript community packages were abducted in npm and malicious versions were published that included an installation script - install.js - capable of running a binary on Windows (node-gyp.dll) designed to steal npm authentication tokens. The compromised versions identified include 8.10.1, 9.1.1, 10.1.6 and 10.1.7. The message here is clear: any third party dependence that is automatically installed can become a vector of credentials theft or code execution.

Finally, CISA points to the exploitation of a vulnerability of local file inclusion in Zimbra's Webmail Classic interface, referred to as CVE-2025-68645. The failure comes from a mismanagement of parameters in the RestFilter servlet; an unauthenticated attacker can invoke the endpoint / h / rest to load arbitrary files from the WebRoot directory, which can reveal sensitive data or allow other operating steps. It affects Zimbra 10.0 and 10.1, and as in the other cases the immediate recommendation is to apply the updates provided by the manufacturer or to place mitigations until the patch is installed.

In all cases, the CISA note does not provide technical details on the exact way in which the attackers are exploiting the failures and does not indicate whether they have been used in Ransomware campaigns; that status was marked as "unknown." That doesn't mean the danger is remote. but the agency prefers not to publish operational information that could facilitate greater abuse. For security teams, caution orders: to assume that there is real risk and to act quickly.

What can and should technical officials do now? The first is to apply the official corrections or mitigation recommended by manufacturers as soon as possible. In development environments it is appropriate to verify that Vite servers are not exposed to the public; development bodies must be executed on internal networks or behind safe tunnels. For orchestrating platforms and services exposed by reverse proxies, review routing rules and ensure that internal administrative routes and endpoints (as Actuator) are inaccessible from unreliable networks; Traefik and other proxies allow for the definition of access rules and headers that restrict unauthorized traffic. In view of a possible verification derived from malicious npm packages, it is essential to rotate authentication tokens, clean credentials stored in build and CI / CD environments, reinstall dependencies from reliable sources and consider the use of private records or package signatures.

It is also appropriate to incorporate medium-term prevention measures: generate and maintain a SBOM (software inventory), use software composition scanning tools that detect compromised versions, use lockfiles and policies that prevent automatic lifting of unreviewed units, audit proxy and firewall configurations, and limit access to administrative interfaces to management networks. Monitoring is key: to look for indicators such as unexpected node.exe executions, creation of memory spins at unusual times, requests for administrative endpoints from external IPs or attempts to access WebRoot files.

For the organisations governed by the BOD Directive 22-01 the timetable is unappealable: corrections or mitigation should be applied before the deadline set by CISA. For the rest, the practical recommendation is not to delay: update, review settings and audit tokens and secrets. If there is doubt about actual exposure, temporarily disable exposed services while assessing the extent of the risk can avoid major incidents.

In short, these four entries in the KEV are a reminder that modern security is a multidimensional work: the same ecosystem brings together risks in development software, network infrastructure and supply chain. Acting quickly and with clear procedures reduces the opportunity window of the attackers and limits the potential damage.