The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog in October 2025, adding several high-impact vulnerabilities being leveraged in real-world attacks. Organizations are urged to prioritize patching and mitigation to reduce exposure to these critical threats.
What is the KEV Catalog?
CISA’s KEV catalog is a dynamic resource containing vulnerabilities that are both actively exploited by malicious actors and pose substantial risk to enterprises and federal infrastructures. Catalog inclusion signals urgent prioritization for vulnerability management, requiring federal agencies to act within a defined deadline.
New Critical Additions
CVE-2025-61882 (Oracle E-Business Suite Pre-Auth RCE)
- Remotely exploitable vulnerability in Oracle E-Business Suite’s BI Publisher Integration allows unauthenticated attackers to compromise Oracle Concurrent Processing via HTTP, leading to remote code execution or data theft.
- CVSS: 9.8 (Critical). Actively exploited in ransomware campaigns.
- Affects E-Business Suite versions 12.2.3 – 12.2.14. Requires immediate patching and monitoring for suspicious HTTP traffic targeting Oracle BI Publisher.
CVE-2010-3765 (Mozilla Firefox, Thunderbird, SeaMonkey RCE)
- Memory corruption flaw in Mozilla Firefox (3.5.x–3.5.14, 3.6.x–3.6.11), Thunderbird (3.x), and SeaMonkey.
- Exploitable via JavaScript, allowing remote attackers to execute arbitrary code by manipulating frame construction in the browser. Exploited in the wild by the “Belmoo” malware.
CVE-2011-3402 (Windows TrueType Font Parsing RCE)
- Vulnerability in the Windows kernel’s TrueType font parsing engine (win32k.sys), allowing remote code execution via malicious font files in documents or web pages.
- Used in attacks linked to targeted threats (e.g., Duqu malware family). Affects multiple Windows versions; patched in December 2011.
CVE-2013-3918 (Windows InformationCardSigninHelper ActiveX RCE)
- Out-of-bounds write in the InformationCardSigninHelper ActiveX control (icardie.dll), exploitable via malicious web pages.
- Allows remote code execution under the privileges of the current user, with attacks discovered in the wild targeting IE 7/8 on Windows XP.
CVE-2021-43226 (Windows Common Log File System Driver Privilege Escalation)
- Privilege escalation vulnerability in Windows CLFS driver allows local attackers to obtain higher privileges by exploiting improper object management in the driver, affecting multiple Windows releases.
- CVSS: 7.8 (High). Requires local access.
CVE-2010-3962 (Internet Explorer 6, 7, 8 Use-After-Free RCE)
- Use-after-free vulnerability in MSIE (6–8) related to CSS token sequences and the “clip” attribute, enabling remote code execution through memory corruption via crafted web content.
- Heavily exploited (November 2010) before patching.
CVE-2021-22555 (Linux Kernel Netfilter Local Privilege Escalation)
- Heap out-of-bounds write in Linux kernel’s net/netfilter/x_tables.c, affecting kernels since v2.6.19-rc1.
- Local attackers can escalate privileges or cause DoS through heap corruption.
- CVSS: 7.8–9.7 (High to Critical), exploits available, impacts all modern Linux distributions.
Each of these vulnerabilities is known for enabling either remote code execution or privilege escalation, and several have been weaponized in real-world attacks or malware campaigns. Patching, monitoring, and (where applicable) legacy software retirement are strongly advised.
Real-World Risks & Exploitation
These vulnerabilities have been weaponized in the wild, with exploitation spanning ransomware (Oracle E-Business), advanced persistent threat groups (Windows/IE flaws), and automated malware targeting internet-exposed systems. Many impact legacy technologies still common in enterprise and critical infrastructure, making rapid patching essential.
Action Steps
- Patch Immediately: Apply vendor updates as soon as possible, especially for external and internet-facing systems.
- Review Access Controls: Restrict exposed services and implement multi-factor authentication and network segmentation where possible.
- Monitor For Indicators: Watch for suspicious behavior related to the affected products, such as unusual HTTP traffic, unauthorized system changes, or privilege escalation attempts.
- Harden Legacy Systems: Where patching is not feasible, increase monitoring, apply virtual patching, or isolate legacy environments.
Why KEV Additions Matter
KEV catalog entry is a clear signal: These flaws are not theoretical—they are actively targeted, with successful exploitation resulting in data theft, business interruption, or full system compromise. Security teams must elevate these CVEs in their vulnerability management pipeline immediately.
