CISA KEV alert: four exploited vulnerabilities that require immediate parking

On 22 January 2026, the United States Agency for Infrastructure and Cybersecurity ( CISA) added four critical failures to its catalogue of known and exploited vulnerabilities ( KEV). This inclusion is not merely informative: it means that there is evidence of active exploitation in nature and that organizations should prioritize mitigation. When CISA labels a vulnerability as "exploited," it stresses an immediate risk for networks and applications.

The first problem that caused the alert affects Synacor Zimbra Collaboration Suite and appears as CVE-2025-68645. This is a remote file inclusion variant that allows an attacker to build requests to the endpoint "/ h / rest" to bring arbitrary files from the WebRoot directory, without authentication. In practical terms, this may expose sensitive data or allow code execution on mail and collaboration servers if it is not patched. Synacor corrected the failure in November 2025 with the publication of Zimbra 10.1.13, and CISA indicates that the exploitation of this vulnerability is already taking place according to the analysis of actors of threats and signs of telemetry.

Another serious finding corresponds to CVE-2025-34026, an authentication bypass discovered on Versa's SD-WAN orchestration platform, Concerto. An intruder that takes advantage of this failure can access administrative endpoints without appropriate credentials, which facilitates side movements, configuration modification or malicious code deployment. Versa released corrections in April 2025 with version 12.2.1 GA; SD-WAN network operators must validate their updates and review exposed administrative access. On this problem you can read a technical analysis on the blog of Project.

The front ecosystem has not been exempted. The Vite library, used to build modern web applications, closed in March 2025 an access control failure ( CVE-2025-31125) that could return the content of arbitrary files to the browser using parameters such as? inline & import or? raw? import. Although the CVSS score is moderate, internal file exposure may reveal secrets or allow data exfiltration. The corrections are in the versions 6.2.4, 6.1.3, 6.0.13, 5.4.16 and 4.5.11 so development teams and DevOps should update the packages and review continuous integration pipelines to eliminate vulnerable dependencies.

Perhaps the case that best exemplifies the threat to software supply is CVE-2025-54313, related to a campaign of sabotage against several Npm packages, including slint-config-prettier. The attackers tricked the maintainers with phishing emails that simulated administrative tasks - in fact false links that stole credentials - and published stranded versions that included a malicious charger called "Scavenger Loader," intended to deploy a furtive info-stealer. This incident, publicly detected in July 2025, is a reminder that the software supply chain is a critical vector: not only the code we write, but who publishes it and how the maintenance accounts are validated matter as much as the dependencies themselves.

In the case of CVE-2025-68645, intelligence reports and detection systems such as CrowdSec show exploitative activity since mid-January 2026, which confirms that this is not a theoretical threat. For the other vulnerabilities, CISA indicated that there were signs of active or potential exploitation, although technical details of each campaign have not always been published. This lack of public detail does not reduce the urgency: when the central federal agency points to a failure in its KEV catalogue, it is because there is a proven risk for critical infrastructure and government services.

The regulatory obligations complicate the timetable: under the Binding Operational Directive (BOD) 22-01, the agencies of the US Federal Executive. UU must apply patches for exploited vulnerabilities within strict time limits. For these four failures the mitigation deadline was 12 February 2026, which applies added pressure on security equipment and operations to prioritize inventory, testing and deployment of updates without compromising service continuity.

For organizations outside the federal level, the practical recommendation is the same: to assume that exploitation is real and to prioritize action. Update to corrected versions, audit network exposures, rotate repository-related credentials and monitor access records are essential steps. In particular, maintenance and equipment that rely on npm packages should strengthen the security of their accounts - multi-factor authentication, access reviews and alerts for suspicious activity - and apply integrity verification controls in automated pipelines.

Beyond patches and firewall rules, this episode focuses on a cultural lesson: security is no longer the only responsibility of a team; it is a cross-cutting practice that includes developers, operators, product managers and system administrators. Review dependencies, their publishing chains and the accounts with permission to publish is as relevant as patching an exposed server.

If you drive systems affected by Zimbra, Versa, Vite or you depend on any of the npm packages involved, act quickly. Check the official corrections and security notes linked to each supplier's resources, check your exposure and document each change. Transparency in response and a post-incident audit will help to reduce the impact and prevent reopening of the same failure in the future.

To deepen, the CISA page with the alert and the KEV catalogue offer the official starting point ( alert and KEV catalogue), CVE records provide details of each entry and independent project and analysis notices provide technical context and practical recommendations.