THE SecurityWeek report notes that CISA has added CVE-2025-68645, a local file inclusion flaw in Zimbra Collaboration Suite, to its Known Exploited Vulnerabilities (KEV) catalog. According to CISA, patch releases for this defect were issued on 6 November 2025, covering Zimbra Collaboration Suite versions 10.1.13 and 10.0.18. The article states that exploitation of the vulnerability has been surging in the wild, with CrowdSec reporting highly targeted attacks as part of sophisticated, intelligence-driven campaigns.
In addition to the Zimbra issue, CISA expanded the KEV list with three other bugs and urged federal agencies to address them within three weeks under Binding Operational Directive 22-01. The piece also indicates that all organisations are advised to review the KEV catalog and remediate the vulnerabilities it identifies. It is dated 23 January 2026.