The Cybersecurity and Infrastructure Security Agency (CISA) has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on January 22, 2026, signaling active exploitation in the wild.
These vulnerabilities span development tools, SD-WAN infrastructure, email platforms, and package managers, affecting organizations across multiple attack surfaces.
The addition reflects an urgent threat landscape where threat actors are actively leveraging these flaws.
All four vulnerabilities carry a February 12, 2026, remediation deadline, aligned with CISA’s Binding Operational Directive (BOD 22-01) for federal systems and critical infrastructure operators.
Malicious Code in Development Dependencies
Prettier’s eslint-config-prettier package contains embedded malicious code (CVE-2025-54313) that executes during installation.
The vulnerability triggers an install.js file deployment of node-gyp.dll malware on Windows systems, creating a supply-chain attack vector targeting development environments.
This represents a critical risk for software development pipelines and CI/CD infrastructure.
Two separate improper access control vulnerabilities expose sensitive data and administrative functions. Vite Vitejs (CVE-2025-31125) allows attackers to access non-allowed file content through query parameter manipulation (?inline&import and ?raw?import), but only affects dev servers explicitly exposed to networks.
Versa Concerto’s SD-WAN platform (CVE-2025-34026) contains an authentication bypass in its Traefik reverse proxy configuration, enabling unauthorized administrative access and exposure of heap dumps and trace logs.
Synacor Zimbra Collaboration Suite (CVE-2025-68645) suffers from a PHP remote file inclusion vulnerability.
Attackers craft requests to the /h/rest endpoint to influence request dispatching, potentially including arbitrary files from the WebRoot directory. Email platforms are frequent targets for initial access vectors in enterprise breaches.
Organizations must prioritize patching these vulnerabilities immediately. Federal agencies face BOD 22-01 compliance requirements, while private-sector entities should evaluate their exposure and apply vendor-supplied patches or discontinue service use if mitigations remain unavailable.
The diversity of affected software, from development tooling to email infrastructure, underscores the broad threat landscape.
Security teams should inventory installations, prioritize network-exposed systems, and implement compensating controls pending patching.
| CVE ID | Vendor | Product | Vulnerability Type | CVSS | Due Date |
|---|---|---|---|---|---|
| CVE-2025-54313 | Prettier | eslint-config-prettier | Embedded Malicious Code | Critical | 2026-02-12 |
| CVE-2025-31125 | Vitejs | Vite | Improper Access Control | High | 2026-02-12 |
| CVE-2025-34026 | Versa | Concerto (SD-WAN) | Improper Authentication | Critical | 2026-02-12 |
| CVE-2025-68645 | Synacor | Zimbra Collaboration Suite | Remote File Inclusion | Critical | 2026-02-12 |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
