The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) Catalog by incorporating five additional security flaws, underscoring the persistent threats targeting widely used software systems. This update highlights the critical need for organizations to promptly address these vulnerabilities to safeguard their digital infrastructures.
Oracle E-Business Suite Vulnerabilities
Among the newly listed vulnerabilities, two pertain to Oracle’s E-Business Suite (EBS), a comprehensive suite of enterprise resource planning (ERP) applications.
1. CVE-2025-61884: This server-side request forgery (SSRF) vulnerability resides in the Runtime component of Oracle Configurator. With a Common Vulnerability Scoring System (CVSS) score of 7.5, it allows unauthenticated attackers to gain unauthorized access to sensitive data. The flaw is remotely exploitable without the need for authentication, making it particularly concerning.
2. CVE-2025-61882: Previously identified and actively exploited, this critical vulnerability has a CVSS score of 9.8. It enables unauthenticated attackers to execute arbitrary code on vulnerable Oracle EBS instances. Recent reports from Google’s Threat Intelligence Group (GTIG) and Mandiant indicate that numerous organizations have been impacted by exploits targeting this flaw. While specific threat actors have not been conclusively identified, there is speculation that some exploitation activities may be linked to groups conducting Cl0p-branded extortion operations.
Microsoft Windows SMB Client Vulnerability
Another significant addition to the KEV Catalog is:
– CVE-2025-33073: This vulnerability involves improper access control within the Microsoft Windows Server Message Block (SMB) Client. With a CVSS score of 8.8, it could allow attackers to escalate privileges on affected systems. Microsoft addressed this issue in its June 2025 security updates.
Kentico Xperience CMS Vulnerabilities
Two critical vulnerabilities have been identified in Kentico Xperience, a popular content management system (CMS):
1. CVE-2025-2746: This authentication bypass vulnerability, with a CVSS score of 9.8, allows attackers to control administrative objects by exploiting the Staging Sync Server’s handling of empty SHA1 usernames during digest authentication. Kentico released patches for this issue in March 2025.
2. CVE-2025-2747: Similar in nature to CVE-2025-2746, this vulnerability also has a CVSS score of 9.8 and involves authentication bypass through the Staging Sync Server’s handling of the server-defined None type. Patches were made available by Kentico in March 2025.
Apple’s JavaScriptCore Vulnerability
The final addition to the KEV Catalog is:
– CVE-2022-48503: This vulnerability pertains to improper validation of array indices in Apple’s JavaScriptCore component. With a CVSS score of 8.8, it could lead to arbitrary code execution when processing malicious web content. Apple addressed this issue in July 2022.
Implications and Recommendations
The inclusion of these vulnerabilities in the KEV Catalog signifies their active exploitation in the wild, posing substantial risks to organizations relying on the affected software. Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities by November 10, 2025, to protect their networks from active threats.
Organizations are strongly advised to:
– Assess and Patch Systems Promptly: Review systems for the presence of these vulnerabilities and apply the necessary patches without delay.
– Monitor for Unusual Activity: Implement monitoring mechanisms to detect potential exploitation attempts or unauthorized access.
– Educate and Train Staff: Ensure that IT and security teams are aware of these vulnerabilities and understand the steps required to mitigate associated risks.
By proactively addressing these vulnerabilities, organizations can significantly reduce the likelihood of successful cyberattacks and enhance the overall security posture of their digital environments.
