CISA warning about attacks on VMware vCenter, Zimbra, and more

The U.S. cybersecurity agency CISA warns of attacks on five products. The vulnerabilities have apparently been known for some time. Admins should update immediately.

Attacks have been observed in the wild on Vite Vitejs, Versa Concerto, Prettier, and Zimbra, among others, which CISA warns about in an alert message. Vitejs apparently allows access to resources that should be blocked, thereby potentially revealing protected information (CVE-2025-31125, CVSS 5.3, Risk "medium"). In Versa Concerto, attackers can bypass authentication (CVE-2025-34026, CVSS 9.2, Risk "critical"). "eslint-config-prettier" contained malicious code in some versions for a supply chain attack (CVE-2025-54313, CVSS 7.5, Risk "high").

Attacks on widespread software

Attackers are also exploiting a vulnerability in Zimbra. This is a file inclusion vulnerability where attackers from the network can send carefully crafted requests to the API endpoint "/h/rest" without authentication, thereby achieving the inclusion of arbitrary files from the webroot directory (CVE-2025-68645, CVSS 8.8, Risk "high"). In early January, the Federal Office for Information Security (BSI) warned that many hundreds of Zimbra servers are freely accessible on the internet in Germany and are still vulnerable to security flaws in some cases.

Additionally, attacks on a root vulnerability in VMware vCenter Server have been observed (CVE-2024-37079, CVSS 9.8, Risk "critical"). This is a heap-based buffer overflow that attackers can trigger by sending carefully crafted network packets, subsequently injecting and executing malicious code.

Manufacturers are patching the security vulnerabilities with security updates. Due to the observed attacks, IT managers should ensure that the updates are applied at the latest now.

(dmk)