嗯,用户让我帮忙总结一篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。首先,我需要仔细阅读这篇文章,了解其主要内容。 文章主要讲的是美国网络安全和基础设施安全局(CISA)警告了四个被积极利用的漏洞,影响了Versa、Zimbra的企业软件,Vite前端工具框架和Prettier代码格式化工具。这些漏洞被添加到CISA的已知被利用漏洞目录中,说明有证据显示黑客正在利用它们。 接下来,我需要找出这些漏洞的关键信息:CVE编号、严重程度、影响范围和修复情况。比如CVE-2025-31125是高危的访问控制问题,影响暴露的开发实例,并已修复;CVE-2025-34026是Versa Concerto平台的认证绕过漏洞;CVE-2025-54313是供应链问题影响eslint-config-prettier包;CVE-2025-68645是Zimbra Collaboration Suite的本地文件包含漏洞。 然后,用户要求总结控制在100字以内,所以需要简洁明了地涵盖所有关键点:CISA警告四个漏洞被利用,涉及的企业软件和工具,以及这些漏洞的影响和修复情况。 最后,确保语言流畅自然,不使用任何开头模板。这样用户就能快速获取文章的核心信息。 </think> 美国网络安全机构CISA警告称,四个高危漏洞正被积极利用,影响Versa、Zimbra企业软件及Vite、Prettier工具框架。这些漏洞包括认证绕过、文件泄露和供应链攻击等,并已加入CISA的已知被利用漏洞目录。相关产品需尽快修复或停用以应对威胁。 2026-1-23 19:0:26 Author: www.bleepingcomputer.com(查看原文) 阅读量:4 收藏
The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. warned of active exploitation of four vulnerabilities impacting enterprise software from Versa and Zimbra, the Vite frontend tooling framework, and the Prettier code formatter.
The security issues have been added to CISA’s KEV (Known Exploited Vulnerabilities) catalog, indicating that the agency has evidence that hackers are exploiting them in the wild.
One of the vulnerabilities is CVE-2025-31125, a high-severity improper access control issue disclosed in March last year that can be exploited to expose non-allowed files when the server is explicitly exposed to the network.
The issue affects only exposed dev instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11.
Another bug CISA marked as exploited is CVE-2025-34026, a critical-severity authentication bypass in the Versa Concerto SD-WAN orchestration platform disclosed in May 2025. It is caused by a Traefik reverse proxy misconfiguration that allows access to administrative endpoints, including the internal Actuator endpoint, exposing heap dumps and trace logs.
Affected products are Concerto 12.1.2 through 12.2.0, although additional versions may also be impacted.
Researchers at cybersecurity company ProjectDiscovery reported the issues to the vendor on February 13, 2025, and Versa Concerto confirmed to BleepingComputer that they had fixed them on March 7, 2025.
The US cybersecurity agency also lists CVE-2025-54313 as leveraged in attacks, a high-severity vulnerability due to supply-chain compromise affecting the eslint-config-prettier package for resolving conflicts between code linter ESLint and the Prettier code formatter.
In July last year, hackers hijacked several popular JavaScript libraries, 'eslint-config-prettier' among them, and published on npm versions embedded with malicious code.
Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) would run a malicious install.js script that launched the node-gyp.dll payload on Windows to steal npm authentication tokens.
CISA also warned of CVE-2025-68645 being exploited. The vulnerability was disclosed on December 22, 2025, and is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1.
The bug is caused by improper handling of user-supplied parameters in the RestFilter servlet. An unauthenticated attacker can exploit the /h/rest endpoint to include arbitrary files from the WebRoot directory.
CISA now requires all federal agencies bound by the BOD 22-01 directive to apply available security updates or vendor-suggested mitigations, or to stop using the products by February 12, 2026.
The agency has not shared any details about the exploitation activity, and the status of the flaws’ use in ransomware attacks was marked as ‘unknown.’
7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
如有侵权请联系:admin#unsafe.sh