The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added 5 safety flaws to its Recognized Exploited Vulnerabilities (KEV) Catalog, formally confirming a not too long ago disclosed vulnerability impacting Oracle E-Enterprise Suite (EBS) has been weaponized in real-world assaults.
The safety defect in query is CVE-2025-61884 (CVSS rating: 7.5), which has been described as a server-side request forgery (SSRF) vulnerability within the Runtime element of Oracle Configurator that would permit attackers unauthorized entry to important knowledge.
“This vulnerability is remotely exploitable with out authentication,” CISA mentioned.
CVE-2025-61884 is the second flaw in Oracle EBS to be actively exploited together with CVE-2025-61882 (CVSS rating: 9.8), a important bug that would allow unauthenticated attackers to execute arbitrary code on vulnerable situations.
Earlier this month, Google Risk Intelligence Group (GTIG) and Mandiant revealed dozens of organizations might have been impacted following the exploitation of CVE-2025-61882.
“At the moment, we aren’t in a position to attribute any particular exploitation exercise to a selected actor, nevertheless it’s probably that no less than a number of the exploitation exercise we noticed was performed by actors now conducting Cl0p-branded extortion operations,” Zander Work, senior safety engineer at GTIG, advised The Hacker Information final week.
Additionally added by CISA to the KEV catalog are 4 different vulnerabilities –
- CVE-2025-33073 (CVSS rating: 8.8) – An improper entry management vulnerability in Microsoft Home windows SMB Consumer that would permit for privilege escalation (Mounted by Microsoft in June 2025)
- CVE-2025-2746 (CVSS rating: 9.8) – An authentication bypass utilizing an alternate path or channel vulnerability in Kentico Xperience CMS that would permit an attacker to manage administrative objects by making the most of the Staging Sync Server password dealing with of empty SHA1 usernames in digest authentication (Mounted in Kentico in March 2025)
- CVE-2025-2747 (CVSS rating: 9.8) – An authentication bypass utilizing an alternate path or channel vulnerability in Kentico Xperience CMS that would permit an attacker to manage administrative objects by making the most of the Staging Sync Server password dealing with for the server outlined None sort (Mounted in Kentico in March 2025)
- CVE-2022-48503 (CVSS rating: 8.8) – An improper validation of array index vulnerability in Apple’s JavaScriptCore element that would end in arbitrary code execution when processing net content material (Mounted by Apple in July 2022)
There are at the moment no particulars on how the aforementioned 4 points are being exploited within the wild, though particulars about CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747 had been shared by researchers from Synacktiv and watchTowr Labs, respectively.
GuidePoint Safety researcher Cameron Stish, who additionally independently reported CVE-2025-33073 (aka the Reflective Kerberos relay assault or LoopyTicket), alongside CrowdStrike, SySS GmbH, RedTeam Pentesting GmbH, Google Undertaking Zero, and Ahamada M’Bamba, said the vulnerability could possibly be exploited to acquire elevated code execution on a website controller if SMB signing is just not enforced.
Federal Civilian Government Department (FCEB) businesses are required to remediate recognized vulnerabilities by November 10, 2025, to safe their networks in opposition to energetic threats.
