U.S. CISA Adds Oracle, Windows, Kentico, and Apple Flaws to Its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a slew of new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including flaws in popular software such as Oracle, Windows, Kentico, and Apple.

Oracle Flaw: Information Disclosure Vulnerability

The CISA has added an information disclosure vulnerability in Oracle's E-Business Suite's Runtime UI component to its KEV catalog. This flaw, tracked as CVE-2025-61884, has a CVSS score of 7.5 and can be exploited remotely by unauthenticated attackers to steal sensitive data.

According to Rob Duhart, Oracle's Chief Security Officer, "Oracle has just released Security Alert CVE-2025-61884. This vulnerability affects some deployments of Oracle E-Business Suite." The vulnerability was patched by Oracle in an emergency release, but CISA is urging administrators to apply the out-of-band patch immediately to prevent potential exploitation.

Microsoft Windows SMB Client Vulnerability

The CISA has also added a high-severity improper access control bug in the Microsoft Windows SMB Client to its KEV catalog. This vulnerability, tracked as CVE-2025-33073, could enable privilege escalation and was patched by Microsoft in June 2025.

Kentico Xperience CMS Vulnerabilities

Two critical authentication bypass issues were also added to the CISA's KEV catalog for Kentico Xperience CMS. These vulnerabilities allowed attackers to gain control over administrative objects through weaknesses in the Staging Sync Server's password handling.

Apple Flaw: Arbitrary Code Execution

The final vulnerability added to the KEV catalog is a three-year-old Apple flaw (CVE-2022-48503) in its JavaScriptCore component. An attacker could trigger this flaw to execute arbitrary code execution when processing web content.

Implications and Recommendations

According to CISA's Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have until November 10, 2025, to address these vulnerabilities in their networks. Experts recommend that private organizations review the KEV catalog and address these vulnerabilities in their infrastructure to protect against attacks exploiting these flaws.

What You Can Do

If you are a federal agency or private organization, it is essential to take immediate action to patch these vulnerabilities. Here are some steps you can take:

* Review the CISA's KEV catalog for any known exploits and update your software accordingly. * Apply out-of-band patches as recommended by Oracle and Microsoft. * Implement security measures to prevent unauthorized access to sensitive data and administrative objects.

Stay vigilant and stay informed about the latest cybersecurity threats. Follow me on Twitter: @securityaffairs, Facebook, and Mastodon for the latest news and updates.