Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks. The security defect in question is CVE-2025-61884 (CVSS score: 7.5), which has been described as a
Analysis Summary
# Vulnerability: Five Exploited Vulnerabilities Added to CISA KEV Catalog (Oracle, Microsoft, Kentico, Apple)
## CVE Details
- CVE ID: CVE-2025-61884
- CVSS Score: 7.5 (High)
- CWE: Server-Side Request Forgery (SSRF)
- CVE ID: CVE-2025-61882
- CVSS Score: 9.8 (Critical)
- CWE: Arbitrary Code Execution
- CVE ID: CVE-2025-33073
- CVSS Score: 8.8 (High)
- CWE: Improper Access Control
- CVE ID: CVE-2025-2746
- CVSS Score: 9.8 (Critical)
- CWE: Authentication Bypass (Alternate Path/Channel)
- CVE ID: CVE-2025-2747
- CVSS Score: 9.8 (Critical)
- CWE: Authentication Bypass (Alternate Path/Channel)
- CVE ID: CVE-2022-48503
- CVSS Score: 8.8 (High)
- CWE: Improper Validation of Array Index
## Affected Systems
- Products: Oracle E-Business Suite (EBS), Microsoft Windows (SMB Client), Kentico Xperience CMS, Apple JavaScriptCore.
- Versions: Not explicitly detailed, but applies to versions of Oracle EBS affected by CVE-2025-61884 and CVE-2025-61882.
- Configurations: Specific configurations for Oracle Configurator Runtime component are vulnerable to SSRF (CVE-2025-61884). Kentico flaws relate to Staging Sync Server password handling (empty SHA1 usernames/None type).
## Vulnerability Description
The summary covers five distinct vulnerabilities added to the CISA KEV Catalog:
1. **CVE-2025-61884 (Oracle EBS):** An SSRF vulnerability in the Oracle Configurator Runtime component allows unauthorized access to critical data.
2. **CVE-2025-61882 (Oracle EBS):** A critical vulnerability allowing unauthenticated attackers to execute arbitrary code.
3. **CVE-2025-33073 (Microsoft Windows):** An improper access control vulnerability in the SMB Client leading to privilege escalation.
4. **CVE-2025-2746 & CVE-2025-2747 (Kentico Xperience CMS):** Authentication bypass vulnerabilities in the Staging Sync Server related to digest authentication handling, allowing administrative object control.
5. **CVE-2022-48503 (Apple):** An improper validation of array index flaw in JavaScriptCore that could lead to arbitrary code execution when processing web content.
## Exploitation
- Status: **CVE-2025-61884** is confirmed to be weaponized/actively exploited. **CVE-2025-61882** exploitation in the wild has been observed, potentially linked to Cl0p-branded actors. Exploitation status for the other four listed CVEs is not explicitly detailed as being exploited *in the wild* beyond their inclusion in the KEV list, though research details exist.
- Complexity: CVE-2025-61884 is remotely exploitable without authentication. CVE-2025-61882, CVE-2025-2746, and CVE-2025-2747 are rated as critical (9.8), suggesting relatively low complexity for achieving high impact.
- Attack Vector: Primarily **Network** (Remote, Unauthenticated for several critical Oracle/Kentico flaws).
## Impact
- Confidentiality: High (Especially CVE-2025-61884 SSRF and potential data exposure from code execution).
- Integrity: High (Arbitrary Code Execution from CVE-2025-61882, Privilege Escalation from CVE-2025-33073, Administrative Control from Kentico flaws).
- Availability: Potentially High (Arbitrary Code Execution can lead to system disruption).
## Remediation
### Patches
- **CVE-2025-61884 & CVE-2025-61882:** Patches released by Oracle (specific versions not listed).
- **CVE-2025-33073:** Fixed by Microsoft in June 2025.
- **CVE-2025-2746 & CVE-2025-2747:** Fixed by Kentico in March 2025.
- **CVE-2022-48503:** Fixed by Apple in July 2022.
*Note: Federal Civilian Executive Branch (FCEB) agencies are required to remediate by November 10, 2025.*
### Workarounds
- No specific workarounds were detailed in the summary text, other than the necessary patching timeline for FCEB agencies.
## Detection
- Indicators of Compromise: Not specified for individual CVEs besides the confirmation of exploitation for the Oracle issues.
- Detection Methods and Tools: Organizations should prioritize scanning for and applying patches for all listed CVEs, especially the Oracle EBS vulnerabilities confirmed to be actively weaponized. (General defense against known exploited vulnerabilities.)
## References
- Vendor advisories: CISA KEV Catalog: hxxps://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalog
- Relevant links: Oracle EBS flaw: hxxps://thehackernews.com/2025/10/new-oracle-e-business-suite-bug-could.html; Oracle critical bug: hxxps://thehackernews.com/2025/10/oracle-rushes-patch-for-cve-2025-61882.html
- CVE Records: CVE-2025-33073, CVE-2025-2746, CVE-2025-2747, CVE-2022-48503.