Advisory ID: NCC-CSIRT-2025-020
Summary:
CISA has added five newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalogue, confirming real-world attacks against major software products, including Oracle EBS and Microsoft Windows. The new entries include:
- A server-side request forgery (SSRF) issue (CVE-2025-61884) in Oracle EBS that can be triggered without authentication.
- A prior Oracle EBS remote code execution vulnerability (CVE-2025-61882) is already being exploited.
- A Microsoft Windows SMB Client privilege escalation flaw (CVE-2025-33073).
- Authentication bypass vulnerabilities in Kentico Xperience CMS (CVE-2025-2746 & CVE-2025-2747) enabling administrative control.
- An Apple JavaScriptCore arbitrary code execution flaw (CVE-2022-48503) affecting web content processing.
CISA has set a remediation deadline of November 10, 2025, for federal agencies.
Damage/Probability: Critical/High
Product(s):
- Oracle E‑Business Suite (EBS) – Runtime component/Configurator
- Microsoft Windows SMB Client
- Kentico Xperience CMS
- Apple JavaScriptCore
Version(s):
- Oracle EBS: vulnerabilities CVE-2025-61884 (SSRF) and CVE-2025-61882 (RCE)
- Microsoft Windows SMB Client: CVE-2025-33073 (improper access control)
- Kentico Xperience CMS: CVE-2025-2746 & CVE-2025-2747 (authentication bypass)
- Apple JavaScriptCore: CVE-2022-48503 (array-index validation)
Platform(s):
Enterprise ERP systems, Windows client environments, CMS web platforms, Apple/macOS devices using WebKit/JavaScriptCore.
Description:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalogue, confirming real-world attacks targeting major enterprise and consumer technologies from Oracle, Microsoft, Kentico, and Apple.
Two of the vulnerabilities affect Oracle E-Business Suite (EBS), a Server-Side Request Forgery (SSRF) flaw (CVE-2025-61884) and a Remote Code Execution (RCE) flaw (CVE-2025-61882). These issues reside in the Oracle Configurator runtime component and allow unauthenticated attackers to send crafted HTTP requests that can reach internal services, databases, or cloud resources. Exploitation of these vulnerabilities has been observed in the wild, with some threat actors using them for data exfiltration and lateral movement within enterprise networks.
The third flaw, CVE-2025-33073, impacts the Microsoft Windows SMB Client, where improper access control allows local attackers to escalate privileges. This vulnerability is particularly concerning in enterprise environments that use legacy SMB configurations or lack strict SMB signing and network segmentation, as attackers could exploit it to gain elevated rights and persistence.
Two additional vulnerabilities, CVE-2025-2746 and CVE-2025-2747, affect Kentico Xperience CMS. They stem from improper handling of authentication requests in the staging synchronization component, allowing unauthenticated users to bypass login controls and gain administrative access to web servers. Once exploited, attackers can modify website content, deploy web shells, or redirect users to malicious domains.
Lastly, CVE-2022-48503, a vulnerability in Apple’s JavaScriptCore (used in WebKit-based browsers), results from improper validation of array indices. This flaw allows attackers to execute arbitrary code on macOS and iOS devices when victims visit malicious or compromised websites. Although initially disclosed in 2022, it remains under active exploitation, highlighting how older vulnerabilities continue to be leveraged against unpatched systems.
CISA’s analysis confirms that these vulnerabilities are being actively exploited in the wild, and federal agencies have been mandated to patch affected systems by 10 November 2025. Organizations are strongly advised to prioritize remediation, implement network segmentation where patching cannot be done immediately, and monitor for signs of compromise, particularly unusual HTTP requests, unauthorized administrative access, or suspicious privilege escalation activities.
Impacts:
- Unauthorized access to enterprise resources via Oracle EBS SSRF or RCE leading to data exfiltration or lateral movement.
- Compromise of Windows clients via SMB Client privilege escalation, enabling attackers to gain elevated rights and persist.
- Administrative takeover of web content and infrastructure via Kentico CMS authentication bypass, enabling further malware deployment or defacement.
- Exploitation of macOS/iOS devices via Apple JavaScriptCore flaw, enabling arbitrary code execution through web content, risking endpoint compromise in enterprise “bring your own device” (BYOD) contexts.
- High risk for organizations that delayed or skipped patching, attackers often move quickly after CVEs are public and listed by CISA’s KEV.
Solutions:
- Prioritise Patching: Immediately apply vendor patches for the listed CVEs: Oracle EBS, Microsoft Windows (SMB Client), Kentico CMS, Apple devices.
- Confirm Asset Inventory: Ensure you know whether you run affected versions of Oracle EBS, Windows SMB Client endpoints, Kentico CMS installations, or macOS/iOS devices vulnerable to JavaScriptCore exploits.
- Isolate & Segment: Until patched, segregate vulnerable systems, especially Oracle EBS and CMS platforms, with stricter network segmentation and restricted access.
- Harden Configurations: For Windows SMB, enforce SMB signing, disable SMBv1/SMBv2 legacy, and monitor unusual local privilege escalations. For CMS, disable staging sync server access if unused and review user authentication flows.
- Monitor Logs & Network: Look for abnormal HTTP requests from Oracle servers to internal services (SSRF), sudden administrative logins in CMS, privilege escalation events in Windows, or unusual web content processing on Apple devices.
- Validate Remediation: After patching, run vulnerability scans and penetration tests focusing on these CVEs; verify no persistence or backdoor remains.
References: