ACCORDING to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four flaws to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2025-31125 (CVSS 5.3) in Vite Vitejs, CVE-2025-34026 (CVSS 9.2) in Versa Concerto SD-WAN, CVE-2025-54313 (CVSS 7.5) in Prettier eslint-config-prettier, and CVE-2025-68645 (CVSS 8.8) in Synacor Zimbra Collaboration Suite.
The entry for CVE-2025-31125 notes that the vulnerability allows exposure of non-allowable files via certain Vite parameters when the dev server is exposed to the network, with patches in specific versions. CVE-2025-34026 is described as an authentication bypass caused by a Traefik reverse proxy misconfiguration that could let attackers access admin endpoints, heap dumps, and trace logs in Versa Concerto versions 12.1.2–12.2.0.
CISA has ordered federal agencies to remediate these flaws by 12 February 2026, and private organisations are advised to review the KEV catalog and address the vulnerabilities in their infrastructure.