CISA adds six new flaws to its KEV catalog

Threat summary

Between January 21 and 24, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added several security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors.

CVE-2024-37079 (CVSS 9.8)

CVE‑2024‑37079 affects VMware vCenter Server. The flaw, a heap overflow in the Distributed Computing Environment / Remote Procedure Calls implementation, enables unauthenticated remote code execution through specially crafted network packets.

The vulnerability carries a Common Vulnerability Scoring System (CVSS) rating of 9.8, critical, with a worst‑case scenario of full system takeover. 

Broadcom originally patched the flaw in June 2024 but has since updated its advisory stating it has “information to suggest that exploitation of CVE‑2024‑37079 has occurred in the wild.”

CVE-2026-20045 (CVSS 8.2)

CVE‑2026‑20045 is a critical remote code execution vulnerability disclosed by Cisco on January 21, 2026. It affects multiple Cisco Unified Communications products and was actively exploited prior to disclosure.

The flaw is caused by improper validation of user‑supplied input in the web‑based management interface. An unauthenticated remote threat actor can send a sequence of malicious Hypertext Transfer Protocol (HTTP) requests to execute arbitrary commands on the underlying operating system.

CVE-2025-68645 (CVSS 8.8)

CVE‑2025‑68645 is a local file inclusion vulnerability in the Zimbra Collaboration Webmail Classic interface, allowing unauthenticated access to files within the WebRoot directory.

The flaw enables reconnaissance and access to sensitive configuration files, supporting credential theft, lateral movement, and follow‑on compromise. Zimbra released patches for supported versions on November 6, 2025, with the ZCS 10.1.13 release.

CVE‑2025‑31125 (CVSS 7.5)

CVE‑2025‑31125 affects the Vite build tool ecosystem. It's an improper access control flaw that enables exposure of non‑allowed files when a server is directly reachable over a network. The flaw is rated High severity and has been linked to unauthorized file access in environments where Vite’s development server is deployed in a network‑exposed configuration.

The impact is limited to unauthorized file disclosure, but exposed files may include sensitive application data, internal paths, or configuration information that can support follow‑on compromise. The worst‑case scenario involves attackers using disclosed files to escalate access or pivot into production environments.

CVE‑2025‑34026 (CVSS 9.2)

CVE‑2025‑34026 is a critical improper authentication vulnerability in the Versa Concerto software‑defined wide area network orchestration platform.

The flaw allows unauthenticated access to administrative endpoints, including internal Actuator interfaces that expose heap dumps, trace logs, and other sensitive operational data. The worst‑case scenario involves unauthorized access to administrative functions, exposure of credentials or tokens, and potential escalation into broader network compromise.

CVE‑2025‑54313 (CVSS 7.5)

CVE‑2025‑54313 is part of a supply chain compromise in the eslint‑config‑prettier package, where versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 contain embedded malicious code. Installing any of the affected versions triggers execution of an install.js script that launches a malicious node‑gyp.dll payload on Windows systems.

The impact includes unauthorized code execution during package installation, enabling attackers to deploy malware, steal credentials, or establish persistence in developer environments.

The flaw affects any organization or developer using the compromised versions, particularly those with automated build pipelines or continuous integration systems that install dependencies without manual review.

Mitigation

Field Effect’s Security Intelligence monitors the cyber threat landscape for threats related to vulnerabilities like those mentioned above. Field Effect MDR users are automatically notified if vulnerable software and hardware is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Deploying vendor patches, removing compromised or vulnerable package versions, and validating dependency integrity address the underlying flaws. Reviewing logs for unauthorized access, unexpected command execution, or abnormal file‑access patterns supports early detection of exploitation.

Other mitigations include restricting external access to affected management interfaces and limiting them to trusted administrative networks reduces exposure across all impacted products. Removing sensitive files from exposed directories and ensuring no internal interfaces are externally reachable further reduces risk.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up