Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Multiple Apple products and Oracle’s E-Business Suite feature in CISA’s latest addition to KEV Catalog.
The United States Cybersecurity & Infrastructure Security Agency has added five previously disclosed vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a worrying server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite.
Multiple companies and analysts had been warning of the exploitation of CVE-2025-61882 since it was first disclosed on October 4, but CISA has warned of hackers taking advantage of CVE-2025-61884, which was published days later on October 12.
According to its CVE listing, CVE-2025-61884 is an “easily exploitable vulnerability” that can allow a malicious, unauthenticated attacker to compromise the Oracle Configurator via HTTP.
“Successful attacks of this vulnerability can result in unauthorised access to critical data or complete access to all Oracle Configurator accessible data,” the vulnerability's CVE listing says.
CVE-2025-61884 has a CVSS score of 7.5, rating it as a High Severity vulnerability, and is present in versions 12.2.3 through 12.2.14.
“If successfully exploited, this vulnerability may allow access to sensitive resources,” Oracle said in its advisory.
“Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible.”
CVE-2022-48503 is a vulnerability that may lead to code execution in multiple Apple products; it is fixed, however, in the following versions: tvOS 15.6, watchOS 8.7, iOS 15.6 & iPadOS 15.6, macOS Monterey 12.5, and Safari 15.6. This is an older vulnerability, first disclosed in August 2023.
CVE-2025-2746 and CVE-2025-2747 both impact Kentico Xperience Staging Sync Server. Both are authentication bypass vulnerabilities that could lead to an attacker controlling administrative objects. The first method is via password handling of empty SHA1 usernames, while the second is via component password handling for the server-defined None type.
These flaws date back to March 2025, and both score a Critical Severity CVSS rating of 9.8. The vulnerabilities impact versions 0 through 13.0.172 in the first case, and 0 through 13.0.178 in the second.
Finally, CVE-2025-33073 is a High Severity (CVSS Score of 8.8) elevation of privilege vulnerability in the Windows SMB Client disclosed in June of this year. It impacts multiple OS and Server versions of Windows, which can be found here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
