The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks.
The security defect in question is CVE-2025-61884 (CVSS score: 7.5), which has been described as a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator that could allow attackers unauthorized access to critical data.
“This vulnerability is remotely exploitable without authentication,” CISA said.
CVE-2025-61884 is the second flaw in Oracle EBS to be actively exploited along with CVE-2025-61882 (CVSS score: 9.8), a critical bug that could permit unauthenticated attackers to execute arbitrary code on susceptible instances.
Earlier this month, Google Threat Intelligence Group (GTIG) and Mandiant revealed dozens of organizations may have been impacted following the exploitation of CVE-2025-61882.
“At this time, we are not able to attribute any specific exploitation activity to a specific actor, but it’s likely that at least some of the exploitation activity we observed was conducted by actors now conducting Cl0p-branded extortion operations,” Zander Work, senior security engineer at GTIG, told The Hacker News last week.
Also added by CISA to the KEV catalog are four other vulnerabilities –
- CVE-2025-33073 (CVSS score: 8.8) – An improper access control vulnerability in Microsoft Windows SMB Client that could allow for privilege escalation (Fixed by Microsoft in June 2025)
- CVE-2025-2746 (CVSS score: 9.8) – An authentication bypass using an alternate path or channel vulnerability in Kentico Xperience CMS that could allow an attacker to control administrative objects by taking advantage of the Staging Sync Server password handling of empty SHA1 usernames in digest authentication (Fixed in Kentico in March 2025)
- CVE-2025-2747 (CVSS score: 9.8) – An authentication bypass using an alternate path or channel vulnerability in Kentico Xperience CMS that could allow an attacker to control administrative objects by taking advantage of the Staging Sync Server password handling for the server defined None type (Fixed in Kentico in March 2025)
- CVE-2022-48503 (CVSS score: 8.8) – An improper validation of array index vulnerability in Apple’s JavaScriptCore component that could result in arbitrary code execution when processing web content (Fixed by Apple in July 2022)
There are currently no details on how the aforementioned four issues are being exploited in the wild, although details about CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747 were shared by researchers from Synacktiv and watchTowr Labs, respectively.
GuidePoint Security researcher Cameron Stish, who also independently reported CVE-2025-33073 (aka the Reflective Kerberos relay attack or LoopyTicket), alongside CrowdStrike, SySS GmbH, RedTeam Pentesting GmbH, Google Project Zero, and Ahamada M’Bamba, said the vulnerability could be exploited to obtain elevated code execution on a domain controller if SMB signing is not enforced.
Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by November 10, 2025, to secure their networks against active threats.
