CISA KEV Alert: 5 Critical Vulnerabilities Added to Catalog

CISA KEV Alert: 5 Critical Vulnerabilities Added to Catalog

No Comments

As a cybersecurity analyst tracking threat intelligence, In a rapid-fire update, CISA added four flaws on January 22 and one on January 23, 2026, confirming active exploitation across dev tools, SD-WAN, email servers, and VMware virtualization.These span supply-chain attacks to remote code execution (RCE), underscoring 2026’s aggressive threat landscape. Federal deadline: Feb 12-13 via BOD 22-01.

January 22 Additions: Dev, Network, and Email Chaos

CISA flagged these for in-the-wild abuse, hitting diverse attack surfaces.

CVE-2025-54313: Prettier eslint-config-prettier (Critical)

  • Details: Embedded malicious code in npm package executes on install, deploying install.js that drops node-gyp.dll malware on Windows. Supply-chain nightmare for CI/CD pipelines.
  • Impact: Dev env compromise, lateral movement to build servers.
  • Patch: Update package; scan deps with tools like Snyk.
  • CVSS/Due: Critical / Feb 12, 2026.

CVE-2025-31125: Vitejs/Vite (High)

  • Details: Improper access control via query params (?inline&import, ?raw?import) leaks non-allowed files on exposed dev servers.
  • Impact: Source code exfil, secrets exposure.
  • Patch: Restrict dev server exposure; update Vite.
  • CVSS/Due: High / Feb 12.

CVE-2025-34026: Versa Concerto SD-WAN (Critical)

  • Details: Traefik reverse proxy auth bypass exposes admin access, heap dumps, and trace logs.
  • Impact: Network takeover, data theft.
  • Patch: Vendor fix; segment proxies.
  • CVSS/Due: Critical / Feb 12.

CVE-2025-68645: Synacor Zimbra Collaboration Suite (Critical)

  • Details: PHP remote file inclusion at /h/rest endpoint; attackers manipulate dispatching to include arbitrary WebRoot files.
  • Impact: Server RCE, persistent access in email infra.
  • Patch: Apply Synacor update; harden PHP.
  • CVSS/Due: Critical / Feb 12.

January 23 Addition: VMware vCenter RCE Resurfaces

CVE-2024-37079: Broadcom VMware vCenter Server (CVSS 9.8, Critical)

  • Details: Heap buffer overflow in DCERPC protocol handling. Network-accessible crafted packets trigger out-of-bounds writes, enabling RCE. Patched June 18, 2024 (VMSA-2024-0012), but exploitation evidence emerged recently—likely ransomware or APTs with prior footholds.
  • Impact: Full vCenter compromise, VM escapes, env domination. Mirrors CVE-2023-34048 (China-nexus abuse).
  • Patch: Deploy VMSA-2024-0012; never expose vCenter publicly—use VPN/Jumps.
  • Due: Feb 13, 2026.

Threat Intel & Trends

Ransomware favors these (e.g., vCenter for persistence); state actors hit VMware DCERPC repeatedly. Dev supply-chain (Prettier/Vite) echoes SolarWinds—scan npm deps ruthlessly. No public PoCs for most, but wild exploits confirm chains exist.

Actionable Remediation for Teams

  1. Inventory: Qualys/Nessus scan for affected versions.
  2. Patch Order: VMware/Zimbra first (RCE), then dev tools.
  3. Mitigations: Firewall dev servers; MFA proxies; offline backups.
  4. Monitor: SIEM for DCERPC anomalies, npm install logs.
  5. Verify: Post-patch vuln scans; test in staging.
Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.