CISA Updates KEV Catalog With Four Actively Exploited Flaws Including CVE-2025-7251 and CVE-2025-7194

CISA has updated its Known Exploited Vulnerabilities catalog to include four security flaws that have been confirmed as actively exploited. The newly added CVEs affect enterprise collaboration software, SD-WAN orchestration platforms, frontend build tooling, and a widely used development configuration package, highlighting the diversity of attack surfaces currently being targeted.

One of the newly added entries is CVE-2025-68645, a PHP remote file inclusion vulnerability affecting Synacor Zimbra Collaboration Suite. The flaw exists in the /h/rest endpoint and allows unauthenticated attackers to include arbitrary files from the WebRoot directory. By crafting malicious requests, an attacker can force the application to load unintended PHP resources, potentially leading to information disclosure or further compromise of the Zimbra environment. This issue was fixed in Zimbra version 10.1.13.

Another vulnerability added to the catalog is CVE-2025-34026, an authentication bypass in the Versa Concerto SD-WAN orchestration platform. The weakness allows attackers to access administrative endpoints without valid credentials due to improper authentication enforcement. Successful exploitation grants access to sensitive management functionality, enabling configuration changes or further lateral movement within managed network infrastructure. Versa addressed this issue in version 12.2.1 GA.

CISA also added CVE-2025-31125, which affects the Vite and Vitejs frontend build tooling ecosystem. This vulnerability is caused by improper access control when handling special query parameters such as ?inline&import and ?raw?import. Exploitation allows attackers to retrieve the contents of arbitrary files and have them returned directly to the browser. While the CVSS score is lower than the others, exploitation can still result in source code disclosure or leakage of sensitive configuration data. The issue has been fixed across multiple supported versions.

The fourth addition is CVE-2025-54313, a supply-chain vulnerability involving malicious code embedded in the eslint-config-prettier package. The malicious component includes a DLL referred to as a scavenger loader, designed to execute on Windows systems and deploy an information-stealing payload. This vulnerability is particularly concerning because it targets developers indirectly through trusted tooling, allowing compromise during development or build processes rather than at runtime.

CISA’s decision to include these CVEs in the KEV catalog indicates that they are being actively exploited and should be treated as high-priority remediation targets. Organizations running affected software should immediately identify vulnerable instances, apply available patches, and review logs for signs of exploitation. In environments where immediate patching is not possible, reducing exposure and implementing compensating controls is critical.

This update reinforces the reality that attackers continue to exploit both traditional enterprise platforms and developer-focused tooling. Effective defense requires visibility across infrastructure, applications, and the software supply chain, along with rapid response to vulnerabilities confirmed to be exploited in the wild