The U.S. Cybersecurity and Infrastructure Security Agency added four vulnerabilities to the Known Exploited Vulnerabilities catalog on January 22, 2026, citing evidence of active exploitation and setting a February 12, 2026 patch deadline for federal agencies.
KEY FACTS
- Added four vulnerabilities to the KEV catalog
- Affected Zimbra, Versa Concerto, Vite, eslint-config-prettier
- Known exploitation activity observed for one CVE
- Federal deadline fixes due by February 12, 2026 under BOD 22-01
Details in the advisory include CVE-2025-68645 (CVSS 8.8), CVE-2025-34026 (CVSS 9.2), CVE-2025-31125 (CVSS 5.3) and CVE-2025-54313 (CVSS 7.5).
The vulnerabilities affect Synacor Zimbra Collaboration Suite, the Versa Concerto SD-WAN orchestration platform, Vite Vitejs and eslint-config-prettier respectively.
Vendors issued fixes for most issues before the advisory: Zimbra addressed the inclusion bug in November 2025, Versa released an update in April 2025, and Vite published security updates in March 2025. The eslint-config-prettier issue stems from a supply chain compromise that resulted in trojanized packages.
Exploit activity targeting CVE-2025-68645 began on January 14, 2026. There are no public details on active exploitation of the other three vulnerabilities at this time.
WHY IT MATTERS
The additions place the vulnerabilities on a federal remediation schedule and reflect active exploitation for at least one flaw. Organizations should prioritize vendor updates and patch deployment to reduce exposure.