The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five CVEs to its Known Exploited Vulnerabilities (KEV) catalog today, including Microsoft, Apple and Oracle vulnerabilities.
The vulnerabilities flagged by CISA include:
- CVE-2022-48503, an 8.8-severity vulnerability in multiple Apple products that could lead to arbitrary code execution when processing web content. The issue was addressed with improved bounds checks.
- CVE-2025-33073, an 8.8-rated Microsoft Windows SMB Client Improper Access Control vulnerability that Microsoft had labeled as less likely to be exploited in its June Patch Tuesday update.
- CVE-2025-61884, a 7.5-severity Oracle E-Business Suite Server-Side Request Forgery (SSRF) vulnerability that Oracle issued an emergency patch for on October 11.
- CVE-2025-2746 and CVE-2025-2747, which are both 9.8-rated password authentication bypass issues in Kentico Xperience Staging Sync Server.
Oracle Vulnerabilities Under Attack
CISA doesn’t provide details on how vulnerabilities are being exploited, but the October 11 Oracle E-Business Suite CVE-2025-61884 vulnerability announcement followed an ongoing campaign by the CL0P ransomware group to exploit CVE-2025-61882, a 9.8-severity remote code execution (RCE) flaw in Oracle E-Business Suite that had reportedly been exploited at least since August 9, with “suspicious activity” occurring a month before that.
CISA added CVE-2025-61882 to its KEV database on October 6.
CVE-2025-61882 was reportedly weaponized by the CL0P ransomware group in a widespread extortion campaign that included a high volume of emails sent to executives at numerous organizations, claiming the theft of sensitive data from the victims’ Oracle E-Business Suite environments, according to Google Threat Intelligence.
CL0P (aka CLOP) has since claimed at least four victims from the Oracle campaign on its Tor data leak site: Harvard University, American Airlines’ Envoy Air subsidiary, and two additional victims that remain unconfirmed.
The Scattered LAPSUS$ Hunters threat group posted proof-of-exploit (PoC) code for CVE-2025-61882 to its Telegram channel on October 3, claiming that they had originated the exploit instead of CL0P, according to Cyble dark web researchers; that PoC release from the Scattered LAPSUS$ threat group preceded Oracle’s patch for CVE-2025-61882 by one day.
Microsoft CVE-2025-33073 Vulnerability Discovered by 8 Researchers
At the time of the June Patch Tuesday update, Microsoft gave credit for discovering CVE-2025-33073 to eight researchers: Keisuke Hirata of CrowdStrike, Wilfried Bécard of Synacktiv, Cameron Stish of GuidePoint Security, Ahamada M’Bamba of BNP Paribas, Stefan Walter and Daniel Isern of SySS GmbH, RedTeam Pentesting GmbH, and James Forshaw of Google Project Zero.
Stish’s GuidePoint blog post on CVE-2025-33073 provides some interesting background on the vulnerability.
According to Microsoft, an attacker who successfully exploited the vulnerability could gain SYSTEM privileges.
When multiple attack vectors can be used, Microsoft assigns a score based on the scenario with the highest risk. In one scenario for the vulnerability, Microsoft said an attacker could convince a victim to connect to an attacker-controlled malicious application server, such as an SMB server. “Upon connecting, the malicious server could compromise the protocol,” Microsoft said.
“To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate,” Microsoft said. “This could result in elevation of privilege.”
