Chrome, Oracle vulnerabilities added to Known Exploited Vulnerabilities Catalog

The vulnerability was first reported on 17 November, and Google rates it as high severity. Google released a Stable Channel Update for Desktop on 17 November, when it said it was aware of an existing, in-the-wild exploit. The issue is fixed in the following versions of Chrome:

• v142.0.7444.175/.176 (for Windows)
• v142.0.7444.176 (for macOS)
• v142.0.7444.175 (for Linux)

CVE-2025-13223 was reported by Clément Lecigne of Google’s Threat Analysis Group.

CVE-2025-61757, on the other hand, is – according to its CVE Record – an “easily exploitable vulnerability” that could lead to an unauthenticated attacker compromising the Identity Manager part of Oracle Fusion Middleware, leading in turn to the full takeover of the component.

This vulnerability has a CVSS score of 9.8, making it a critical severity flaw. Oracle first disclosed the CVE on 21 October as part of its regular Oracle Critical Patch Update Advisory. CISA added it to its KEV catalogue in November 2022.

Searchlight Cyber, the darkweb monitoring firm that discovered CVE-2025-61757, said exploitation of the flaw was likely “trivial”.

“The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws. Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters,” Searchlight Cyber’s Adam Kues and Shubham Shah said in a 20 November blog post.

VIEW ALL

“Participating in CTFs, or even staying up to date with research in the CTF space, continues to pay dividends, giving us unique insights into how we can often turn a seemingly unexploitable bug into an exploitable one.”