CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities
嗯,用户让我用中文帮他总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。直接写描述就行。首先,我需要仔细阅读这篇文章,理解其主要内容。 文章主要讲的是美国网络安全和基础设施安全局(CISA)在周四新增了四个安全漏洞到他们的已知被利用漏洞目录中。这些漏洞都是被积极利用的。然后列出了四个具体的CVE编号,每个都有CVSS评分和修复版本的信息。其中特别提到CVE-2025-54313是一个针对eslint-config-prettier和其他npm包的供应链攻击,攻击者通过钓鱼邮件获取维护者的凭证,发布恶意版本。 此外,文章还提到根据BOD 22-01指令,联邦民事执行部门机构必须在2026年2月12日前应用必要的修复来保护网络。 现在,我需要将这些信息浓缩到100字以内。重点包括:CISA新增四个漏洞、漏洞涉及的软件、供应链攻击、修复时间以及政府机构的应对措施。 可能的结构是:CISA新增四个漏洞到目录中,涉及Zimbra、Versa Concerto、Vite Vitejs和eslint-config-prettier等软件。其中一个是供应链攻击,导致恶意DLL执行。其他漏洞也在被积极利用。政府机构需在特定日期前修复以保护网络。 检查字数是否在限制内,并确保信息准确无误。 </think> 美国网络安全机构CISA新增四个高危漏洞至目录中,涉及Zimbra协作套件、Versa Concerto SD-WAN平台、Vite Vitejs及eslint-config-prettier等软件。其中一漏洞系供应链攻击所致,可致恶意代码执行。其余漏洞亦被活跃利用。相关机构需于指定日期前完成修复以应对威胁。 2026-1-23 15:24:0 Author: thehackernews.com(查看原文) 阅读量:4 收藏

Vulnerability / Software Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The list of vulnerabilities is as follows -

  • CVE-2025-68645 (CVSS score: 8.8) - A PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow a remote attacker to craft requests to the "/h/rest" endpoint and allow inclusion of arbitrary files from the WebRoot directory without any authentication (Fixed in November 2025 with version 10.1.13)
  • CVE-2025-34026 (CVSS score: 9.2) - An authentication bypass in the Versa Concerto SD-WAN orchestration platform that could allow an attacker to access administrative endpoints (Fixed in April 2025 with version 12.2.1 GA)
  • CVE-2025-31125 (CVSS score: 5.3) - An improper access control vulnerability in Vite Vitejs that could allow contents of arbitrary files to be returned to the browser using ?inline&import or ?raw?import (Fixed in March 2025 with versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11)
  • CVE-2025-54313 (CVSS score: 7.5) - An embedded malicious code vulnerability in eslint-config-prettier that could allow for execution of a malicious DLL dubbed Scavenger Loader that's designed to deliver an information stealer

Cybersecurity

It's worth noting that CVE-2025-54313 refers to a supply chain attack targeting eslint-config-prettier and six other npm packages, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is, that came to light in July 2025.

The phishing campaign targeted the package maintainers with bogus links that harvested their credentials under the pretext of verifying their email address as part of regular account maintenance, allowing the threat actors to publish trojanized versions.

According to CrowdSec, exploitation efforts targeting CVE-2025-68645 have been ongoing since January 14, 2026. There are currently no details on how the other vulnerabilities are being exploited in the wild.

Pursuant to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by February 12, 2026, to secure their networks against active threats.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.


文章来源: https://thehackernews.com/2026/01/cisa-updates-kev-catalog-with-four.html
如有侵权请联系:admin#unsafe.sh