CISA KEV Alert: 5 Critical Vulnerabilities Added to Catalog

---

As a cybersecurity analyst tracking threat intelligence, In a rapid-fire update, CISA added four flaws on January 22 and one on January 23, 2026, confirming active exploitation across dev tools, SD-WAN, email servers, and VMware virtualization.These span supply-chain attacks to remote code execution (RCE), underscoring 2026’s aggressive threat landscape. Federal deadline: Feb 12-13 via BOD 22-01.

January 22 Additions: Dev, Network, and Email Chaos

CISA flagged these for in-the-wild abuse, hitting diverse attack surfaces.

CVE-2025-54313: Prettier eslint-config-prettier (Critical)

• Details: Embedded malicious code in npm package executes on install, deploying install.js that drops node-gyp.dll malware on Windows. Supply-chain nightmare for CI/CD pipelines.
• Impact: Dev env compromise, lateral movement to build servers.
• Patch: Update package; scan deps with tools like Snyk.
• CVSS/Due: Critical / Feb 12, 2026.

CVE-2025-31125: Vitejs/Vite (High)

• Details: Improper access control via query params (?inline&import, ?raw?import) leaks non-allowed files on exposed dev servers.
• Impact: Source code exfil, secrets exposure.
• Patch: Restrict dev server exposure; update Vite.
• CVSS/Due: High / Feb 12.

CVE-2025-34026: Versa Concerto SD-WAN (Critical)

• Details: Traefik reverse proxy auth bypass exposes admin access, heap dumps, and trace logs.
• Impact: Network takeover, data theft.
• Patch: Vendor fix; segment proxies.
• CVSS/Due: Critical / Feb 12.

CVE-2025-68645: Synacor Zimbra Collaboration Suite (Critical)

• Details: PHP remote file inclusion at /h/rest endpoint; attackers manipulate dispatching to include arbitrary WebRoot files.
• Impact: Server RCE, persistent access in email infra.
• Patch: Apply Synacor update; harden PHP.
• CVSS/Due: Critical / Feb 12.

January 23 Addition: VMware vCenter RCE Resurfaces

CVE-2024-37079: Broadcom VMware vCenter Server (CVSS 9.8, Critical)

• Details: Heap buffer overflow in DCERPC protocol handling. Network-accessible crafted packets trigger out-of-bounds writes, enabling RCE. Patched June 18, 2024 (VMSA-2024-0012), but exploitation evidence emerged recently—likely ransomware or APTs with prior footholds.
• Impact: Full vCenter compromise, VM escapes, env domination. Mirrors CVE-2023-34048 (China-nexus abuse).
• Patch: Deploy VMSA-2024-0012; never expose vCenter publicly—use VPN/Jumps.
• Due: Feb 13, 2026.

Threat Intel & Trends

Ransomware favors these (e.g., vCenter for persistence); state actors hit VMware DCERPC repeatedly. Dev supply-chain (Prettier/Vite) echoes SolarWinds—scan npm deps ruthlessly. No public PoCs for most, but wild exploits confirm chains exist.

Actionable Remediation for Teams

1. Inventory: Qualys/Nessus scan for affected versions.
2. Patch Order: VMware/Zimbra first (RCE), then dev tools.
3. Mitigations: Firewall dev servers; MFA proxies; offline backups.
4. Monitor: SIEM for DCERPC anomalies, npm install logs.
5. Verify: Post-patch vuln scans; test in staging.