The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, formally confirming that a recently disclosed vulnerability affecting Oracle E-Business Suite (EBS) has been weaponized in a real-world attack.
The security flaw in question is CVE-2025-61884 (CVSS score: 7.5), which describes a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component that could allow an attacker to gain unauthorized access to sensitive data.
“This vulnerability can be exploited remotely without authentication,” CISA said.
CVE-2025-61884 is the second flaw in Oracle EBS to be actively exploited, along with CVE-2025-61882 (CVSS score: 9.8), and is a critical bug that could allow an unauthenticated attacker to execute arbitrary code on a vulnerable instance.
Earlier this month, Google Threat Intelligence Group (GTIG) and Mandiant revealed that dozens of organizations may have been affected by exploits of CVE-2025-61882.
“While we are unable to determine at this time whether a specific exploit activity is the work of a specific attacker, it is likely that at least some of the exploit activity we observed was carried out by an actor currently conducting Cl0p-branded extortion operations,” Xander Wark, senior security engineer at GTIG, told Hacker News last week.
Four other vulnerabilities were added to the KEV catalog by CISA.
- CVE-2025-33073 (CVSS Score: 8.8) – Improper access control vulnerability in Microsoft Windows SMB Client could allow privilege escalation (fixed by Microsoft in June 2025)
- CVE-2025-2746 (CVSS Score: 9.8) – Authentication bypass using an alternate path or channel vulnerability in Kentico Xperience CMS could allow an attacker to take control of managed objects by leveraging the Staging Sync Server password handling of empty SHA1 usernames in Digest Authentication (fixed in Kentico in March 2025)
- CVE-2025-2747 (CVSS Score: 9.8) – Authentication bypass using an alternate path or channel vulnerability in Kentico Xperience CMS could allow an attacker to take control of managed objects by leveraging the staging sync server’s password handling for the None type in the server definition (fixed in Kentico in March 2025)
- CVE-2022-48503 (CVSS Score: 8.8) – Improper validation of array index vulnerability in Apple’s JavaScriptCore component could lead to arbitrary code execution when processing web content (fixed by Apple in July 2022)
Although details about how the four aforementioned issues are being exploited in the wild are currently unknown, details regarding CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747 have been shared by researchers at Synacktiv and watchTowr Labs, respectively.
Federal Civilian Executive Branch (FCEB) agencies must fix identified vulnerabilities by November 10, 2025 to protect their networks from active threats.
