Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202601-00000024

[Content Description]
【CVE-2026-20045】Cisco Unified Communications Products Code Injection Vulnerability (CVSS v3.1: 8.2)
【Ransomware Exploitation: Unknown】 A code injection vulnerability exists in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM Presence Service (Unified CM IM P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance. This vulnerability could allow attackers to gain user-level access to the underlying operating system and further escalate privileges to root.

【CVE-2025-68645】Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability (CVSS v3.1: 8.8)
【Ransomware Exploitation: Unknown】 A PHP remote file inclusion vulnerability exists in Synacor Zimbra Collaboration Suite (ZCS), which could allow a remote attacker to influence internal request distribution by sending specially crafted requests to the /h/rest endpoint, potentially including arbitrary files in the WebRoot directory.

【CVE-2025-34026】Versa Concerto Improper Authentication Vulnerability (CVSS v3.1: 7.5)
【Ransomware Exploitation: Unknown】 An improper authentication vulnerability exists in the Traefik reverse proxy configuration of the Versa Concerto SD-WAN orchestration platform, which could allow attackers to access management endpoints. The internal Actuator endpoint could be exploited to obtain Heap Dumps and tracing logs.

【CVE-2025-31125】Vite Vitejs Improper Access Control Vulnerability (CVSS v3.1: 5.3)
【Exploited by Ransomware: Unknown】 Vite Vitejs contains an improper access control vulnerability that allows attackers to access unauthorized file content through specific query parameters. Applications that only expose the Vite development server (using the --host or server.host setting options) are affected.

【CVE-2025-54313】Prettier eslint-config-prettier Embedded Malicious Code Vulnerability (CVSS v3.1: 7.5)
【Exploited by Ransomware: Unknown】 Prettier eslint-config-prettier contains an embedded malicious code vulnerability. When an affected package is installed, the system executes the install.js file and launches the malicious program node-gyp.dll on Windows systems.

【CVE-2024-37079】Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability (CVSS v3.1: 9.8)
【Exploitation by Ransomware: Unknown】 A vulnerability exists in the implementation of the DCERPC communication protocol in Broadcom VMware vCenter Server, allowing for out-of-bounds write vulnerabilities. A malicious attacker with network access to vCenter Server could potentially execute remote code by sending specially crafted network packets.

[Affected Platforms]
【CVE-2026-20045】Please refer to the official list of affected versions: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

【CVE-2025-68645】Please refer to the official list of affected versions: https://wiki.zimbra.com/wiki/Security_Center

【CVE-2025-34026】Please refer to the official list of affected versions: https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e

【CVE-2025-31125】Please refer to the official list of affected versions https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8

【CVE-2025-54313】Please refer to the affected versions listed in the official documentation: https://github.com/advisories/GHSA-f29h-pxvx-f335

【CVE-2024-37079】Please refer to the affected versions listed in the official documentation: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

[Recommended Actions]
【CVE-2026-20045】An official patch update has been released for this vulnerability. Please update to the relevant version. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

【CVE-2025-68645】 An official patch update has been released for this vulnerability. Please update to the relevant version. https://wiki.zimbra.com/wiki/Security_Center

【CVE-2025-34026】 An official patch update has been released for this vulnerability. Please update to the relevant version. https://security-portal.versa-networks.com/emailbulletins/6830f94328defa375486ff2e

【CVE-2025-31125】 An official patch update has been released for this vulnerability. Please update to the relevant version. https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8

【CVE-2025-54313】 An official patch for this vulnerability has been released. Please update to the relevant version. https://github.com/advisories/GHSA-f29h-pxvx-f335

【CVE-2024-37079】 An official patch for this vulnerability has been released. Please update to the relevant version. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453