The Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following confirmed reports of active exploitation across enterprise and consumer environments. These vulnerabilities affect Oracle E‑Business Suite, Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple’s WebKit/JavaScriptCore frameworks..
Under Binding Operational Directive (BOD) 22‑01, all U.S. federal agencies must remediate these flaws by November 10, 2025, while private organizations are strongly encouraged to follow suit to minimize compromise risks.
CVE‑2025‑61884 – Oracle E‑Business Suite SSRF Vulnerability
This Server‑Side Request Forgery (SSRF) flaw in Oracle E‑Business Suite Runtime UI (versions 12.2.3–12.2.14) allows unauthenticated remote attackers to access internal network resources through crafted HTTP requests.
- CVSS Score: 7.5
- Impact: Sensitive data exposure, unauthorized resource interaction
- Fix: Oracle released an emergency security patch on October 11, 2025
- Risk: Could enable attackers to pivot into internal ERP environments and exfiltrate business data
Oracle’s Chief Security Officer has urged immediate deployment of the patch as exploitation attempts have been detected in the wild.
CVE‑2025‑33073 – Microsoft Windows SMB Client Improper Access Control
The Windows SMB Client component suffers from an improper access control bug, allowing local attackers to escalate privileges to SYSTEM level. This vulnerability was initially patched in June 2025, but exploitation campaigns exploiting unpatched endpoints have now been confirmed.
- CVSS Score: 8.8
- Impact: Local privilege escalation, lateral movement
- Exploitation: Often chained with phishing payloads and weak credential vectors
- Recommendation: Apply Microsoft’s June 2025 cumulative update; restrict SMB exposure
The presence of readily available proof‑of‑concept code makes delayed remediation highly risky.
CVE‑2025‑2746 and CVE‑2025‑2747 – Kentico Xperience CMS Authentication Bypass Flaws
Two authentication bypass vulnerabilities in Kentico Xperience CMS Staging Sync Server—both rating CVSS 9.8—allow attackers to gain administrative control over websites by exploiting the CMS’s password handling mechanisms.
- CVE‑2025‑2746: Exploits handling of empty SHA‑1 usernames in digest authentication
- CVE‑2025‑2747: Bypasses authentication by abusing the “None” password type logic
Once compromised, attackers can:
- Create or delete administrative accounts
- Modify synchronized web content
- Upload malicious scripts or backdoors
Kentico issued fixes in March 2025, but new attack telemetry confirms these flaws are actively being used by threat actors targeting digital marketing and governmental web portals.
CVE‑2022‑48503 – Apple JavaScriptCore Arbitrary Code Execution
An older but still dangerous memory corruption issue in Apple’s JavaScriptCore engine affects Safari, iOS, macOS, tvOS, and watchOS. The flaw results from improper array index validation when processing malicious web content, enabling arbitrary code execution within the browser sandbox.
- CVSS Score: 8.8
- Patched: July 2022
- Impact: Full browser compromise via weaponized websites
- Relevance: Exploitation persists in unpatched or legacy Apple devices, especially in BYOD environments
CISA’s inclusion of this 2022 flaw underscores the long‑term exploitation lifecycle of browser‑based vulnerabilities.
Broader Implications and Action Required
CISA’s latest additions show how threat actors are actively chaining old and new vulnerabilities to compromise cloud‑connected systems, ERPs, and CMS environments. The common themes among these flaws include:
- Abuse of authentication weaknesses (Kentico)
- Privilege escalation through Windows SMB misconfigurations
- Exploitation of internet‑facing ERP modules (Oracle)
- Targeting browser engines still widely deployed (Apple)
Organizations should immediately:
- Audit asset inventories for affected versions of Oracle, Microsoft, Kentico, and Apple products.
- Apply vendor patches before CISA’s November 10 remediation deadline.
- Implement network segmentation and monitor logs for suspicious SMB and CMS activity.
- Subscribe to CISA’s KEV feed for proactive threat intelligence updates.
CISA’s October 2025 update to the KEV catalog reinforces a critical truth: patching delays invite exploitation. Whether managing ERP platforms or consumer devices, defenders must move quickly—because for adversaries, even legacy bugs remain potent entry points into modern networks.
