CISA Adds VMware vCenter, Zimbra Flaws to Exploited List

CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week, requiring federal agencies to patch by mid-February. The additions include a VMware vCenter Server flaw patched over 18 months ago and a December 2025 Zimbra disclosure that attackers wasted no time exploiting.

Under Binding Operational Directive 22-01, federal agencies must remediate these vulnerabilities by the specified due dates. Private organizations aren't bound by the directive, but the KEV catalog serves as a useful prioritization guide—if CISA confirms active exploitation, attackers are likely targeting organizations beyond the federal government.

January 23: VMware vCenter Server

CVE-2024-37079 - Broadcom VMware vCenter Server Out-of-Bounds Write

CVSS: 9.8 | Due date: February 13, 2026

This vulnerability affects vCenter Server's DCERPC protocol implementation. An attacker with network access to vCenter can send specially crafted packets that trigger an out-of-bounds write, potentially leading to remote code execution.

The concerning detail: Broadcom patched this vulnerability in June 2024. Eighteen months later, attackers are exploiting it against organizations that still haven't applied the fix.

VMware vCenter manages ESXi hypervisor environments—compromising it gives attackers control over virtualized infrastructure. The VMware ESXi zero-day campaign by Chinese APT groups we covered earlier this month demonstrates the value attackers place on hypervisor management access.

January 22: Four Enterprise Software Flaws

CVE-2025-68645 - Synacor Zimbra Collaboration Suite PHP Remote File Inclusion

CVSS: 8.8 | Due date: February 12, 2026

Disclosed December 22, 2025, this vulnerability affects Zimbra Collaboration Suite versions 10.0 and 10.1. The Webmail Classic UI's RestFilter servlet improperly handles user-supplied parameters, allowing unauthenticated attackers to include arbitrary files from the WebRoot directory.

Zimbra has a long history as an exploitation target. Organizations running Zimbra should assume they're being scanned for this vulnerability continuously.

CVE-2025-34026 - Versa Concerto Improper Authentication

CVSS: 9.2 | Due date: February 12, 2026

This authentication bypass in Versa Concerto allows command injection, enabling arbitrary code execution. Researchers at ProjectDiscovery reported the issue to Versa in February 2025, and the vendor confirmed a fix in March 2025.

CVE-2025-31125 - Vite Vitejs Improper Access Control

CVSS: 5.3 | Due date: February 12, 2026

Vite is a popular frontend build tool. This access control vulnerability affects organizations using Vite in development or build pipelines.

CVE-2025-54313 - Prettier eslint-config-prettier Embedded Malicious Code

Due date: February 12, 2026

This supply chain compromise embedded malicious code in eslint-config-prettier, a widely-used ESLint configuration package. The addition to KEV confirms exploitation in federal environments—a reminder that supply chain attacks targeting developer tools represent an ongoing threat. We covered a similar n8n supply chain attack compromising OAuth tokens recently.

KEV Catalog Statistics

CISA added 245 vulnerabilities to the KEV catalog in 2025, bringing the total to 1,484. The catalog grows as the agency confirms exploitation of vulnerabilities across the software ecosystem.

The catalog's value lies in its confirmation of active exploitation. Vulnerability disclosures number in the tens of thousands annually, and organizations can't patch everything immediately. KEV entries represent vulnerabilities that attackers are actually using—not theoretical risks, but confirmed threats. Tracking KEV changes has gotten harder—GreyNoise built an RSS tool that catches silent CISA KEV updates that don't generate headlines.

Remediation Priorities

For organizations running affected software:

VMware vCenter: If you haven't patched since June 2024, this is overdue. Check vCenter version and apply cumulative updates. Given the 18-month delay between patch availability and confirmed exploitation, assume attackers have been probing your environment.

Zimbra: Apply patches for CVE-2025-68645 immediately. Zimbra administrators should also review access logs for /h/rest endpoint activity indicating exploitation attempts.

Versa Concerto: Update to patched versions released in March 2025 or later.

Vite: Review your frontend build tooling and update Vite to current versions.

eslint-config-prettier: Audit your package-lock.json for affected versions and update dependencies. Review CI/CD pipeline logs for unexpected behavior.

Federal agencies face February 12-13 deadlines. Everyone else should treat these as urgent priorities—attackers don't wait for compliance deadlines.

For ongoing tracking of vulnerability news and patch priorities, the KEV catalog provides useful signal amid the noise of daily CVE disclosures.