The CISA Known Exploited Vulnerabilities (KEV) catalog grew again in a series of January actions that flagged multiple security bugs as actively exploited, including issues tied to Zimbra Collaboration Suite, Versa Concerto, Vite, and the npm package eslint-config-prettier. Separate additions also warned of active exploitation involving Microsoft Office PowerPoint, HPE OneView, Gogs, and Cisco Unified Communications products, with federal remediation deadlines set under Binding Operational Directive 22-01.
CISA’s KEV catalog is used to highlight vulnerabilities with evidence of exploitation, and several of the newest entries point to remote code execution risks that can lead to major compromise if systems remain unpatched. The updates also show how both enterprise software and widely used open-source components can become targets, from collaboration platforms and SD-WAN tools to developer packages and self-hosted Git services.
Four newly added KEV entries
CISA added four vulnerabilities to the KEV catalog on Thursday, citing evidence of active exploitation in the wild. The four entries include CVE-2025-68645 in Synacor Zimbra Collaboration Suite (ZCS), CVE-2025-34026 in the Versa Concerto SD-WAN orchestration platform, CVE-2025-31125 in Vite (Vitejs), and CVE-2025-54313 related to embedded malicious code in eslint-config-prettier.
In Zimbra ZCS, CVE-2025-68645 is described as a PHP remote file inclusion issue that could let an attacker craft requests to the “/h/rest” endpoint to include arbitrary files from the WebRoot directory without authentication, and it was reported as fixed in November 2025 with version 10.1.13. For Versa Concerto, CVE-2025-34026 is described as an authentication bypass that could allow access to administrative endpoints, and it was reported as fixed in April 2025 with version 12.2.1 GA. For Vite, CVE-2025-31125 is described as an improper access control problem that could allow the contents of arbitrary files to be returned to the browser using “?inline&import” or “?raw?import,” with fixes listed across multiple versions released in March 2025.
The fourth entry, CVE-2025-54313, is tied to embedded malicious code in eslint-config-prettier that could enable execution of a malicious DLL called “Scavenger Loader,” which is designed to deliver an information stealer. The same report notes that CVE-2025-54313 refers to a supply chain attack that also targeted six other npm packages: eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is. It adds that the campaign targeted package maintainers with bogus links that harvested credentials under the pretext of email verification, enabling threat actors to publish trojanized versions.
For the Zimbra issue, CrowdSec said exploitation targeting CVE-2025-68645 had been ongoing since January 14, 2026. The same account said there were no details on how the other three vulnerabilities were being exploited in the wild. Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies were required to apply the needed fixes by February 12, 2026.
Microsoft Office and HPE OneView added
CISA also added two security flaws affecting Microsoft Office and Hewlett Packard Enterprise (HPE) OneView to the KEV catalog, citing evidence of active exploitation. The two vulnerabilities were listed as CVE-2009-0556, described as a code injection issue in Microsoft Office PowerPoint that can enable arbitrary code execution through memory corruption, and CVE-2025-37164, described as a code injection vulnerability in HPE OneView that can allow a remote unauthenticated user to perform remote code execution.
For CVE-2025-37164, details emerged when HPE said the flaw impacts all versions prior to version 11.00, and the company made available hotfixes for OneView versions 5.20 through 10. The same report said the scope and source of attacks targeting the two flaws were unclear and that there appeared to be no public reports referencing their exploitation in the wild, while also noting eSentire reported on December 23, 2025 that a detailed proof-of-concept exploit for CVE-2025-37164 had been released. Under BOD 22-01, FCEB agencies were recommended to apply the necessary fixes by January 28, 2026.
In a separate section, the report cited Check Point as identifying an active, large-scale exploitation campaign targeting CVE-2025-37164 that delivered the RondoDox botnet. It said Check Point reported the activity to CISA on January 7, 2026, and that this helped prompt inclusion in the KEV catalog the same day. Check Point said it observed more than 40,000 attack attempts between 05:45 and 09:20 UTC on January 7, 2026, and assessed the activity as automated, botnet-driven exploitation.
Gogs flaw flagged amid active exploitation
CISA also warned of active exploitation of a high-severity security flaw affecting Gogs by adding it to the KEV catalog, with the issue tracked as CVE-2025-8110. CISA described it as a path traversal vulnerability tied to improper symbolic link handling in the PutContents API that could allow code execution.
One account said details came to light when Wiz reported it being exploited in zero-day attacks, and described a technique involving a Git repository, a committed symbolic link pointing to a sensitive target, and use of the PutContents API to write data through the symlink so the operating system overwrites a file outside the repository. That description said an attacker could overwrite Git configuration files, including an sshCommand setting, to gain code execution privileges. The same report said Wiz identified 700 compromised Gogs instances, and cited Censys data saying there are over 1,600 internet-exposed Gogs servers, with the largest number located in China.
A separate report also described CVE-2025-8110 as a symlink bypass of a previously patched remote code execution issue tracked as CVE-2024-55947, and said Wiz Research identified over 700 compromised public-facing instances. That source said the earlier fix added path validation but did not check for symbolic links, enabling the bypass via Git’s symlink feature and allowing writes to targets such as “.git/config.”
The two accounts differed on patch status: one said there were currently no patches addressing CVE-2025-8110, while noting pull requests indicating necessary code changes and a maintainer comment that future images would include a patch once built on main. The other said the flaw was “addressed a week later” after Wiz found it during investigation of a malware incident. In the absence of a fix, guidance included disabling default open registration and limiting server access using a VPN or an allow-list, and FCEB agencies were required to apply mitigations by February 2, 2026.
Cisco Unified CM zero-day added
CISA also added a critical remote code execution vulnerability affecting Cisco Unified Communications Manager to the KEV catalog, with the issue tracked as CVE-2026-20045. The vulnerability was described as enabling attackers to execute arbitrary code on affected systems and escalate privileges to root level, with the weakness tied to improper code injection validation. The report said affected products include Cisco Unified Communications Manager (Unified CM), Unified CM Session Management Edition, Unified CM IM & Presence Service, Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance.
According to that report, CISA added CVE-2026-20045 to the KEV catalog on January 21, 2026, and set a mandatory remediation deadline of February 11, 2026. It also said the precise attack vector had not been publicly disclosed, while CISA’s KEV addition confirms active exploitation in the wild. The same account said the vulnerability had not been linked to ransomware campaigns at the time of writing.
