"CVE-2025-68645 (CVSS score: 8.8) - A PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow a remote attacker to craft requests to the "/h/rest" endpoint and allow inclusion of arbitrary files from the WebRoot directory without any authentication (Fixed in November 2025 with version 10.1.13) CVE-2025-34026 (CVSS score: 9.2) - An authentication bypass in the Versa Concerto SD-WAN orchestration platform that could allow an attacker to access administrative endpoints (Fixed in April 2025 with version 12.2.1 GA)"
"CVE-2025-31125 (CVSS score: 5.3) - An improper access control vulnerability in Vite Vitejs that could allow contents of arbitrary files to be returned to the browser using ?inline&import or ?raw?import (Fixed in March 2025 with versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11) CVE-2025-54313 (CVSS score: 7.5) - An embedded malicious code vulnerability in eslint-config-prettier that could allow for execution of a malicious DLL dubbed Scavenger Loader that's designed to deliver an information stealer"
"It's worth noting that CVE-2025-54313 refers to a supply chain attack targeting eslint-config-prettier and six other npm packages, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall, got-fetch, and is, that came to light in July 2025. The phishing campaign targeted the package maintainers with bogus links that harvested their credentials under the pretext of verifying their email address as part of regular account maintenance, allowing the threat actors to publish trojanized versions."
CISA added four vulnerabilities to the Known Exploited Vulnerabilities catalog after evidence of active exploitation. The vulnerabilities include CVE-2025-68645 (Zimbra PHP remote file inclusion, fixed November 2025, v10.1.13), CVE-2025-34026 (Versa Concerto authentication bypass, fixed April 2025, v12.2.1 GA), CVE-2025-31125 (Vite improper access control, fixed March 2025 across multiple versions), and CVE-2025-54313 (embedded malicious code in eslint-config-prettier enabling execution of a DLL named Scavenger Loader). The eslint-config-prettier case was part of a July 2025 npm supply-chain compromise that used phishing to harvest maintainer credentials and publish trojanized packages. CrowdSec reported exploitation attempts against CVE-2025-68645 since January 14, 2026, and there are no public details on exploitation techniques for that activity.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]