Five Vulnerabilities Added to CISA's Known Exploited Vulnerabilities Catalog
Summary
Hide ▲
Show ▼
Five new vulnerabilities have been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog. These include a server-side request forgery (SSRF) flaw in Oracle E-Business Suite (EBS) and four other vulnerabilities affecting Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple's JavaScriptCore. The SSRF vulnerability in Oracle EBS has been actively exploited in real-world attacks. The vulnerabilities affect widely used software and have varying CVSS scores, indicating different levels of severity. Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by November 10, 2025, to protect against active threats.
Timeline
-
20.10.2025 22:00 1 articles · 23h ago
CISA Adds Five New Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These include a server-side request forgery (SSRF) flaw in Oracle E-Business Suite (EBS) and vulnerabilities in Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple's JavaScriptCore. The SSRF vulnerability in Oracle EBS (CVE-2025-61884) has been actively exploited in real-world attacks. Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by November 10, 2025, to protect against active threats.
Show sources
- Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets — thehackernews.com — 20.10.2025 22:00
Information Snippets
-
CVE-2025-61884 is a server-side request forgery (SSRF) vulnerability in Oracle EBS with a CVSS score of 7.5. It allows unauthorized access to critical data and is remotely exploitable without authentication.
First reported: 20.10.2025 22:001 source, 1 articleShow sources
- Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets — thehackernews.com — 20.10.2025 22:00
-
CVE-2025-61882 is a critical bug in Oracle EBS with a CVSS score of 9.8. It permits unauthenticated attackers to execute arbitrary code on vulnerable instances.
First reported: 20.10.2025 22:001 source, 1 articleShow sources
- Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets — thehackernews.com — 20.10.2025 22:00
-
CVE-2025-33073 is an improper access control vulnerability in Microsoft Windows SMB Client with a CVSS score of 8.8. It allows for privilege escalation and was fixed by Microsoft in June 2025.
First reported: 20.10.2025 22:001 source, 1 articleShow sources
- Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets — thehackernews.com — 20.10.2025 22:00
-
CVE-2025-2746 and CVE-2025-2747 are authentication bypass vulnerabilities in Kentico Xperience CMS with a CVSS score of 9.8 each. They allow attackers to control administrative objects and were fixed in March 2025.
First reported: 20.10.2025 22:001 source, 1 articleShow sources
- Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets — thehackernews.com — 20.10.2025 22:00
-
CVE-2022-48503 is an improper validation of array index vulnerability in Apple's JavaScriptCore with a CVSS score of 8.8. It can result in arbitrary code execution when processing web content and was fixed by Apple in July 2022.
First reported: 20.10.2025 22:001 source, 1 articleShow sources
- Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets — thehackernews.com — 20.10.2025 22:00
-
Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by November 10, 2025, to secure their networks against active threats.
First reported: 20.10.2025 22:001 source, 1 articleShow sources
- Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets — thehackernews.com — 20.10.2025 22:00