The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. This update officially confirms that a newly disclosed flaw in Oracle E-Business Suite (EBS) has been weaponized in real-world attacks, posing serious risks to organizations using affected systems.
Oracle E-Business Suite Flaws Under Attack
The primary vulnerability, CVE-2025-61884 (CVSS score 7.5), is identified as a Server-Side Request Forgery (SSRF) issue in the Runtime component of Oracle Configurator.
According to CISA, the flaw allows remote, unauthenticated attackers to gain unauthorized access to sensitive data.
This marks the second Oracle EBS vulnerability under active exploitation. The first, CVE-2025-61882 (CVSS score 9.8), enables unauthenticated remote code execution, giving attackers full control over vulnerable systems.
Recent research by Google Threat Intelligence Group (GTIG) and Mandiant revealed that dozens of organizations have already been affected by the exploitation of CVE-2025-61882.
“At this time, we are not able to attribute any specific exploitation activity to a specific actor, but it’s likely that some of the attacks were carried out by actors linked to Cl0p-branded extortion operations,” said Zander Work, Senior Security Engineer at GTIG, in an interview with The Hacker News.
Additional Vulnerabilities Added by CISA
CISA also listed four more vulnerabilities affecting Microsoft, Kentico, and Apple products. These include:
- CVE-2025-33073 (CVSS 8.8)
An improper access control vulnerability in Microsoft Windows SMB Client, allowing privilege escalation if SMB signing is not enforced.
(Patched by Microsoft in June 2025.) - CVE-2025-2746 (CVSS 9.8)
An authentication bypass vulnerability in Kentico Xperience CMS that exploits how the Staging Sync Server handles empty SHA1 usernames in digest authentication.
(Fixed in March 2025.) - CVE-2025-2747 (CVSS 9.8)
Another authentication bypass issue in Kentico Xperience CMS, caused by mismanagement of the None type in server password handling.
(Also fixed in March 2025.) - CVE-2022-48503 (CVSS 8.8)
A JavaScriptCore flaw in Apple’s WebKit engine, leading to arbitrary code execution during web content processing.
(Patched by Apple in July 2022.)
While technical details about active exploitation of these flaws remain limited, cybersecurity researchers from Synacktiv and watchTowr Labs have publicly discussed exploitation methods related to CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747.
Expert Analysis on the Microsoft SMB Vulnerability
Security expert Cameron Stish from GuidePoint Security, who independently reported CVE-2025-33073 (also known as the Reflective Kerberos Relay Attack or LoopyTicket), warned that the flaw could allow attackers to achieve elevated code execution on domain controllers when SMB signing is disabled.
Other contributors to the discovery include CrowdStrike, SySS GmbH, RedTeam Pentesting GmbH, Google Project Zero, and Ahamada M’Bamba.
Compliance Deadline for Federal Agencies
Under CISA’s directive, Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by November 10, 2025, to ensure protection against ongoing exploitation.
CISA continues to urge all organizations—public and private alike—to apply the latest patches and follow proactive vulnerability management strategies.
