Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Type confusion bug in Chrome and Critical Severity issue in Oracle Fusion Middleware’s Identity Manager component in hackers’ crosshairs.
The United States Cybersecurity & Infrastructure Security Agency has added a pair of vulnerabilities to its ever-growing Known Exploited Vulnerabilities Catalog.
CVE-2025-13223, added to the KEV Catalog on November 20, is a type confusion vulnerability in Google Chromium V8 that could allow a remote attacker to exploit heap corruption via a specially crafted HTML page.
The vulnerability was first reported on November 17, and Google rates it as High Severity. Google released a Stable Channel Update for Desktop on November 17, when it said it was aware of an existing, in-the-wild exploit. The issue is fixed in the following versions of Chrome:
CVE-2025-13223 was reported by Clément Lecigne of Google’s Threat Analysis Group.
CVE-2025-61757, on the other hand, is – according to its CVE Record – an “easily exploitable vulnerability” that could lead to an unauthenticated attacker compromising the Identity Manager part of Oracle Fusion Middleware, leading in turn to the full takeover of the component.
This vulnerability has a CVSS score of 9.8, making it a Critical Severity flaw. Oracle first disclosed the CVE on October 21 as part of its regular Oracle Critical Patch Update Advisory. CISA added it to its KEV Catalog in November 2022.
Searchlight Cyber, the darkweb monitoring firm that discovered CVE-2025-61757, said exploitation of the flaw was likely “trivial”.
“The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws. Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters,” Searchlight Cyber’s Adam Kues and Shubham Shah said in a November 20 blog post.
“Participating in CTFs, or even staying up to date with research in the CTF space, continues to pay dividends, giving us unique insights into how we can often turn a seemingly unexploitable bug into an exploitable one.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
