CISA Updates Known Exploited Vulnerabilities Catalog with Urgent Oracle EBS Flaw
On October 20, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the inclusion of five new security vulnerabilities in its Known Exploited Vulnerabilities (KEV) Catalog. This update underscores the urgent nature of a recently identified vulnerability affecting Oracle E-Business Suite (EBS), which has been confirmed as actively exploited in real-world attacks.
Key Vulnerability in Oracle EBS
The vulnerability designated as CVE-2025-61884 has a CVSS score of 7.5 and is categorized as a server-side request forgery (SSRF) issue. This defect exists within the Runtime component of the Oracle Configurator, potentially granting unauthorized access to critical data for malicious actors. Notably, CISA has emphasized that this vulnerability can be exploited remotely without requiring any authentication, raising significant security concerns for organizations utilizing Oracle EBS.
Secondary Vulnerability Also Under Exploitation
Alongside CVE-2025-61884, CISA has identified a second vulnerability in Oracle EBS: CVE-2025-61882, which carries a CVSS score of 9.8. This critical vulnerability could allow unauthenticated attackers to execute arbitrary code on affected systems, further compounding the risks associated with the EBS platform. Recent insights from the Google Threat Intelligence Group (GTIG) and Mandiant indicate that numerous organizations have likely been impacted by the exploitation of CVE-2025-61882.
Zander Work, a senior security engineer at GTIG, noted that, while the exact actors behind the exploitation are not yet determined, there is a strong possibility that some of the observed activities have been linked to groups known for employing Cl0p-branded extortion tactics.
Additional Vulnerabilities Listed by CISA
In addition to the Oracle issues, CISA has added four more vulnerabilities to the KEV catalog, each posing significant risks. These include:
-
CVE-2025-33073 (CVSS score: 8.8)
- An improper access control vulnerability in Microsoft Windows SMB Client, which could enable privilege escalation. This flaw was addressed by Microsoft in June 2025.
-
CVE-2025-2746 (CVSS score: 9.8)
- This vulnerability is related to an authentication bypass through an alternate path or channel in Kentico Xperience CMS, potentially permitting attackers to seize control of administrative objects by exploiting weaknesses in Staging Sync Server password handling. It was fixed in March 2025.
-
CVE-2025-2747 (CVSS score: 9.8)
- Similar to CVE-2025-2746, this issue also allows for an authentication bypass in Kentico Xperience CMS, focusing on the handling of None type server definitions in Staging Sync Server password management. This vulnerability was also remediated in March 2025.
-
CVE-2022-48503 (CVSS score: 8.8)
- This vulnerability pertains to an improper validation of array indices in Apple’s JavaScriptCore, which may lead to arbitrary code execution when dealing with web content. Apple resolved this issue in July 2022.
Urgent Remediation Required
Currently, details on the exploitation methods for the newly listed vulnerabilities, apart from those affecting Oracle EBS, remain sparse. Nevertheless, researchers from Synacktiv and watchTowr Labs have begun to share information about CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747.
Federal Civilian Executive Branch (FCEB) agencies are mandated to resolve these identified vulnerabilities by November 10, 2025, to strengthen their defenses against these active threats. Given the severity of these vulnerabilities, swift action is critical. Organizations relying on affected systems must prioritize patching and securing their networks to mitigate risks associated with these vulnerabilities.
