CyberLeveling Logo
CISA KEV Catalog January 2026

Four Newly Exploited Vulnerabilities Added to CISA’s KEV Catalog (January 2026)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, signaling that these flaws are actively exploited in real-world attacks.

The KEV catalog is one of the most reliable indicators of what attackers are actually using, not just what is theoretically dangerous. When a vulnerability appears on this list, it deserves immediate attention from defenders across both public and private sectors.

This post breaks down the four newly added CVEs, what they affect, why they matter, and what organizations should do next.

What Is the KEV Catalog and Why It Matters

CISA’s KEV Catalog tracks vulnerabilities that meet three criteria:

  • A CVE ID exists
  • Exploitation has been confirmed in the wild
  • There is clear risk to federal and enterprise environments

For U.S. federal agencies, remediation of KEV vulnerabilities is mandatory within set timelines. For everyone else, the catalog serves as a high-confidence patch-priority list.

The Four Newly Added KEV Vulnerabilities

1. CVE-2025-68645: Zimbra Collaboration Suite

  • Type: Remote File Inclusion
  • Impact: Remote Code Execution
  • Affected Software: Zimbra Collaboration email and messaging platform

This vulnerability allows attackers to include and execute remote files through specially crafted requests. Because Zimbra is often deployed as an internet-facing email service, exploitation can lead to full server compromise, data theft, and follow-on attacks.

Why it matters: Email servers remain high-value targets, and Zimbra has a long history of being exploited quickly after disclosure.

2. CVE-2025-54313: eslint-config-prettier (npm)

  • Type: Supply-chain compromise
  • Impact: Arbitrary Code Execution
  • Affected Software: JavaScript and npm development environments

This vulnerability stems from a compromised open-source package in the npm ecosystem. Malicious code was introduced into a trusted dependency, allowing attackers to execute code during installation or build processes.

Why it matters: Supply-chain attacks bypass perimeter defenses by abusing trust in widely used development tools. Even organizations with strong network security may be affected if compromised packages reach CI/CD pipelines.

3. CVE-2025-31125: Vite Development Server

  • Type: Improper Access Control
  • Impact: Unauthorized File Access and Data Exposure
  • Affected Software: Vite frontend build tool

This flaw enables attackers to access sensitive files when the Vite development server is exposed or misconfigured. While Vite is primarily a development tool, exposure is common in cloud and test environments.

Why it matters: Development and staging systems are frequent soft targets and often contain secrets, credentials, or source code that can be reused in production attacks.

4. CVE-2025-34026: Versa Concerto SD-WAN

  • Type: Authentication Bypass
  • Impact: Administrative Access
  • Affected Software: Versa Concerto SD-WAN orchestration platform

This vulnerability allows attackers to bypass authentication and access administrative functionality. SD-WAN controllers are especially sensitive because they manage routing, policies, and connectivity across entire networks.

Why it matters: Compromise of network management infrastructure can enable large-scale surveillance, traffic manipulation, or complete network disruption.

Common Themes Across These Vulnerabilities

  • Internet-facing services remain a primary target
  • Supply-chain risk continues to grow in open-source ecosystems
  • Non-production systems such as development, staging, and management planes are increasingly exploited
  • Attackers move faster than patch cycles, making prioritization critical

What Organizations Should Do Now

  • Check exposure immediately: Identify whether any of the affected software is deployed, including in development or test environments.
  • Apply vendor patches or mitigations: If patches are unavailable, follow vendor-recommended mitigations or restrict access aggressively.
  • Audit internet-facing services: Reduce unnecessary exposure, especially for admin panels, development servers, and orchestration tools.
  • Strengthen supply-chain controls: Use dependency scanning, lockfiles, and package integrity checks in CI/CD pipelines.
  • Track the KEV catalog regularly: Treat it as a live threat intelligence feed, not just a compliance checklist.

Final Thoughts

The addition of these four vulnerabilities to CISA’s KEV Catalog is a clear reminder that real-world exploitation, not CVSS scores alone, should drive patching priorities.

Organizations that monitor and act on KEV updates reduce their risk exposure significantly, often with relatively small defensive effort.

Staying current is not about chasing every vulnerability. It is about focusing on the ones attackers are actually using.