CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation: CVE-2025-31125 (Vite/Vitejs improper access control), CVE-2025-34026 (Versa Concerto improper authentication), CVE-2025-54313 (eslint-config-prettier embedded malicious code), and CVE-2025-68645 (Synacor Zimbra Collaboration Suite PHP remote file inclusion). Under Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by CISA’s specified due dates; CISA also urged all organizations to prioritize patching these KEV entries as part of routine vulnerability management.
Reporting on the update highlighted technical risk details for several of the newly listed items, including an authentication bypass in Versa Concerto (reported as affecting versions 12.1.2 through 12.2.0) tied to a Traefik reverse-proxy misconfiguration that could expose administrative endpoints (including an internal Actuator endpoint with access to heap dumps and trace logs). It also described the supply-chain impact of the eslint-config-prettier malicious code issue, where installing affected versions can execute an install.js that launches Windows malware, and noted the Zimbra webmail flaw enabling unauthenticated file inclusion from the web root in affected 10.0/10.1 versions. Separately, CISA also published an ICS advisory for EVMAPA EV-charging infrastructure vulnerabilities, but that advisory is not part of the KEV-additions event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA sets February 12 deadline for federal remediation
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate or mitigate the four newly listed KEV vulnerabilities, or discontinue use of affected products, by February 12, 2026. Private-sector organizations were also urged to patch immediately.
CISA adds four actively exploited flaws to KEV catalog
CISA added CVE-2025-31125 in Vite, CVE-2025-34026 in Versa Concerto, CVE-2025-54313 in eslint-config-prettier, and CVE-2025-68645 in Synacor Zimbra Collaboration Suite to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The agency said the vulnerabilities pose significant risk and urged organizations to prioritize remediation.
CrowdSec observes exploitation attempts against Zimbra flaw
CrowdSec reported exploitation attempts targeting Synacor Zimbra Collaboration Suite vulnerability CVE-2025-68645 beginning on January 14, 2026. The flaw affects the Webmail Classic UI and can allow unauthenticated file inclusion from the WebRoot directory.
npm supply-chain attack compromises eslint-config-prettier
A July 2025 npm supply-chain attack affected eslint-config-prettier and six other packages after maintainers were phished with credential-harvesting links. The compromise introduced embedded malicious code later tracked as CVE-2025-54313.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CISA adds Vite, Prettier, Versa, and Zimbra vulnerabilities to KEV catalog | SC Media
scworld.com
Open sourceCISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities
thehackernews.com
Open sourceU.S. CISA adds Prettier eslint-config-prettier, Vite Vitejs, Versa Concerto SD-WAN orchestration platform and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds 4 Critical Flaws to "Must-Patch" List as Exploits Surge
securityonline.info
Open sourceCISA confirms active exploitation of four enterprise software bugs
bleepingcomputer.com
Open sourceCISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceCISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
Mar 21, 2026
CISA KEV Updates and New Enrichment Tooling for Vulnerability Prioritization
CISA’s **Known Exploited Vulnerabilities (KEV)** program continues to be used as an operational prioritization mechanism for vulnerabilities with confirmed exploitation, but recent analysis cautions it is often misunderstood as a definitive list of the “worst” vulnerabilities. A paper by former CISA KEV section chief Tod Beardsley describes how enrichment signals (e.g., **CVSS**, **EPSS**, **SSVC**, public exploit availability in *Metasploit*/*Nuclei*, and **MITRE ATT&CK** mappings) can be combined to better triage KEV entries, and introduces *KEV Collider*, a free web app/dataset intended to help teams explore and validate enriched KEV data; one highlighted finding is that only **~32%** of KEV-listed vulnerabilities are “immediately exploitable for initial access.” CISA also added two vulnerabilities to the KEV catalog due to **active exploitation**: **CVE-2026-24423** (SmarterTools *SmarterMail*) and **CVE-2025-11953** (*React Native Community CLI*). CVE-2026-24423 is described as an unauthenticated **RCE** tied to a missing authentication check in the `ConnectToHub` API method in SmarterMail builds prior to **9511**, enabling command execution by coercing the server to connect to a malicious HTTP endpoint; build **9511** was released to remediate, and ransomware activity has reportedly targeted exposed instances. CVE-2025-11953 is described as unauthenticated OS command injection via the Metro dev server (notably when bound to external interfaces), with reporting of exploitation activity involving PowerShell-based loaders and defense evasion; U.S. federal agencies are directed under **BOD 22-01** to remediate by the stated KEV deadline, and other organizations are advised to patch/upgrade and reduce exposure (e.g., bind Metro to localhost) while monitoring for suspicious PowerShell and related post-exploitation behavior.
Mar 21, 2026