**U.S. CISA Adds Prettier eslint-config-prettier, Vite Vitejs, Versa Concerto SD-WAN Orchestration Platform, and Synacor Zimbra Collaboration Suite Flaws to its Known Exploited Vulnerabilities Catalog**

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step in enhancing the security posture of federal agencies and private organizations by adding four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The added vulnerabilities include Prettier eslint-config-prettier, Vite Vitejs, Versa Concerto SD-WAN orchestration platform, and Synacor Zimbra Collaboration Suite flaws.

The KEV catalog is a critical resource for federal agencies, as it provides an up-to-date list of known exploited vulnerabilities that require immediate attention. The addition of these four new vulnerabilities brings the total number of listed vulnerabilities to over 250, emphasizing the importance of regular security updates and patching.

**CVE-2025-31125: Vite Vulnerability**

The first vulnerability added to the KEV catalog is CVE-2025-31125, affecting the JavaScript frontend framework Vite. This issue allows attackers to expose the contents of non-allowed files via the `?inline&import` or `?raw?import` parameters in applications that expose the Vite dev server to the network using `--host` or `server.host`. The vulnerability affects versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.

A patch is available for this issue in Vite version 7.8.14 and later. It is essential to update to the latest version to prevent potential attacks exploiting this vulnerability.

**CVE-2025-34026: Versa Concerto SD-WAN Orchestration Platform Vulnerability**

The second added vulnerability, CVE-2025-34026, is an authentication bypass in the Versa Concerto SD-WAN orchestration platform. This issue occurs due to a Traefik reverse proxy misconfiguration, allowing attackers to access admin endpoints, heap dumps, and trace logs in versions 12.1.2–12.2.0.

A patch is available for this vulnerability in version 13.0.0 and later of the Versa Concerto SD-WAN orchestration platform. It is crucial to update to the latest version to prevent unauthorized access to sensitive data.

**CVE-2025-54313: eslint-config-prettier Supply-Chain Compromise**

The third vulnerability added to the KEV catalog, CVE-2025-54313, is a supply-chain compromise affecting eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. The packages contain embedded malicious code that runs during installation, executing an `install.js` script that launches the node-gyp.dll malware on Windows systems, potentially allowing arbitrary code execution.

A patch is available for this issue in version 11.0.3 and later of eslint-config-prettier. It is essential to update to the latest version to prevent potential attacks exploiting this vulnerability.

**CVE-2025-68645: Zimbra Collaboration Suite LFI Vulnerability**

The fourth added vulnerability, CVE-2025-68645, is a Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration (ZCS) versions 10.0 and 10.1. Due to improper validation of user-supplied parameters in the RestFilter servlet, an unauthenticated remote attacker can send crafted requests to the `/h/rest` endpoint to manipulate internal request dispatching and include arbitrary files from the WebRoot directory, potentially exposing sensitive information.

A patch is available for this issue in version 10.1.1 and later of Zimbra Collaboration Suite. It is crucial to update to the latest version to prevent potential attacks exploiting this vulnerability.

**Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities**

The U.S. CISA has ordered federal agencies to fix the identified vulnerabilities by February 12, 2026, in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.

Private organizations are also recommended to review the KEV catalog and address the vulnerabilities in their infrastructure. It is essential for both federal agencies and private organizations to prioritize regular security updates, patching, and configuration hardening to prevent potential attacks exploiting these vulnerabilities.