The US Cybersecurity & Infrastructure Security Agency has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog.
CVE-2025-31125 is a vulnerability in Vite, a frontend tooling framework for JavaScript. According to a security update posted to Vite’s GitHub repository in March 2025, the vulnerability could allow attackers to read arbitrary files.
Thankfully, only apps explicitly exposing the Vite dev server to the network are affected. The vulnerability impacts the following versions:
- Versions 6.2.0 up to 6.2.4
- Versions 6.1.0 up to 6.1.3
CVE-2025-34026 impacts versions 12.1.2 through 12.2.0 of SD-WAN orchestration platform Versa Concerto. First published in May 2025 and updated in November, the flaw leaves the platform vulnerable to an authentication bypass in the Traefik reverse proxy configuration, possibly allowing an attacker to access administrative endpoints.
The CVE is one of a string of vulnerabilities researched by open source cyber security outfit Project Discovery.
“Our research into the Versa Concerto platform has uncovered several critical vulnerabilities that pose significant security risks to enterprises relying on this technology,” Project Discovery said in a May 2025 blog post.
“These vulnerabilities, ranging from authentication bypasses to remote code execution and container escapes, highlight the potential for severe exploitation if left unaddressed.”
Which appears to be exactly what is happening now.
CVE-2025-68645 is a Local File Inclusion Vulnerability in the Webmail Classic UI of Zimbra Collaboration 10.0 and 10.1.
According to the CVE listing, “An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory”.
Finally, we have CVE-2025-54313, a supply chain compromise embedded into eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7. This was awarded a CVE in August 2025, but was first brought to light a month before in July.
“A suspicious activity report in GitHub issue on the eslint-config-prettier repo revealed that four new versions of eslint-config-prettier were published with no corresponding commits or PRs on GitHub,” application security firm Socket said in a July 19 2025, blog post.
“Maintainers quickly discovered the new versions contained malicious code, including a Windows-specific payload attempting to load node-gyp.dll via rundll32.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.