Executive Summary

On October 20, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling they are under active exploitation by malicious actors. The flaws, identified as CVE-2022-48503, CVE-2025-2746, CVE-2025-2747, CVE-2025-33073, and CVE-2025-61884, impact products from Apple, Kentico, Microsoft, and Oracle. The inclusion in the KEV catalog under Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these vulnerabilities by a specified deadline. CISA strongly recommends that private sector organizations also prioritize these patches to defend against prevalent attack vectors. The vulnerabilities range from authentication bypass and improper access control to server-side request forgery (SSRF), posing significant risks if left unpatched.

Vulnerability Details

The five vulnerabilities represent a diverse set of attack vectors targeting different layers of the technology stack:

• CVE-2025-33073: An Improper Access Control Vulnerability in Microsoft Windows SMB Client. This type of flaw could potentially allow an attacker to bypass security controls and gain unauthorized access to system resources, possibly leading to privilege escalation or lateral movement within a network.
• CVE-2025-61884: A Server-Side Request Forgery (SSRF) vulnerability in Oracle's E-Business Suite. SSRF flaws allow an attacker to induce the server-side application to make requests to an unintended location, which can be used to pivot into internal networks, scan for open ports, or exfiltrate data.
• CVE-2025-2746 & CVE-2025-2747: A pair of Authentication Bypass vulnerabilities in the Kentico Xperience Staging Sync Server. These flaws could permit an unauthenticated attacker to bypass login mechanisms, granting them unauthorized access to the staging server, which often contains sensitive pre-production data and configurations.
• CVE-2022-48503: An older but newly exploited vulnerability affecting multiple Apple products. The specifics of this flaw were not detailed in the alert, but its inclusion indicates threat actors have developed a reliable exploit for it, targeting unpatched Apple devices.

Affected Systems

The vulnerabilities impact a broad range of enterprise and consumer products. Organizations should conduct immediate asset inventory checks to identify the presence of the following systems:

• Apple Products: Multiple unspecified products are affected by CVE-2022-48503. Organizations should consult Apple's security advisories for this CVE to identify specific vulnerable devices and OS versions.
• Kentico Xperience: The Staging Sync Server component is affected by CVE-2025-2746 and CVE-2025-2747.
• Microsoft Windows: The SMB Client component across various Windows versions is affected by CVE-2025-33073.
• Oracle E-Business Suite: The specific versions affected by CVE-2025-61884 should be confirmed via Oracle's security advisories.

Exploitation Status

CISA has confirmed that all five vulnerabilities have been actively exploited in the wild. The 'in-the-wild' exploitation status dramatically increases the urgency for patching. Threat actors are leveraging these flaws in real-world attacks, meaning theoretical risk has become an immediate danger. While the specific threat actors were not named, vulnerabilities like these are commonly used by a wide range of adversaries, from ransomware groups for initial access to state-sponsored actors for espionage.

Impact Assessment

Exploitation of these vulnerabilities can lead to severe consequences:

• Initial Access and Lateral Movement: Flaws like the SMB client vulnerability (CVE-2025-33073) and the Kentico authentication bypass (CVE-2025-2746/2747) can serve as entry points into a network or facilitate movement between systems.
• Data Exfiltration and Internal Reconnaissance: The Oracle EBS SSRF (CVE-2025-61884) is a powerful tool for attackers to map internal networks and steal sensitive data from backend systems that are not directly exposed to the internet.
• Full System Compromise: Depending on the context, these vulnerabilities could be chained together or with other flaws to achieve full system compromise, leading to ransomware deployment, data destruction, or persistent espionage. The impact on federal agencies is deemed significant enough to warrant a binding directive, indicating a high potential for damage to government operations and data security.

Detection Methods

Security teams should proactively hunt for signs of exploitation. While specific IOCs were not provided, hunting can be based on vulnerability characteristics.

• For CVE-2025-61884 (Oracle SSRF): Monitor web server logs for the Oracle E-Business Suite for unusual outbound requests originating from the server itself. Look for connections to internal, non-standard ports or requests to public cloud metadata services (e.g., 169.254.169.254). This is a key D3FEND technique: D3-NTA: Network Traffic Analysis.
• For CVE-2025-33073 (Windows SMB): Analyze SMB client logs and network traffic for anomalous connection patterns. Monitor endpoint security logs for suspicious processes initiating SMB connections. This aligns with D3-PA: Process Analysis.
• For CVE-2025-2746/2747 (Kentico Auth Bypass): Review access logs for the Kentico Xperience Staging Sync Server. Look for successful authentication events from unknown IP addresses or activity on the server that does not correlate with legitimate user sessions.

Remediation Steps

CISA's primary directive is to apply vendor-provided patches immediately. Organizations should follow this risk-based prioritization:

1. Identify: Use vulnerability scanners and asset management systems to identify all affected systems within your environment.
2. Prioritize: Give highest priority to internet-facing systems (like Oracle E-Business Suite and Kentico servers) and critical systems.
3. Patch: Apply the security updates released by Apple, Kentico, Microsoft, and Oracle for these CVEs. Follow vendor instructions for deployment and testing.
4. Verify: Confirm that patches have been successfully applied and systems are no longer vulnerable.
5. Mitigate (if patching is delayed): If immediate patching is not possible, implement compensating controls. For the web-facing vulnerabilities, this could include restricting access via Web Application Firewalls (WAFs) or limiting access to trusted IP ranges. For the SMB flaw, consider restricting outbound SMB traffic (TCP port 445) at the network perimeter. This is a form of D3FEND's D3-ITF: Inbound Traffic Filtering.