CISA Alerts on Five New Actively Exploited Vulnerabilities in Critical Platforms (2025)
Executive Summary
On October 20, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog, adding five actively exploited vulnerabilities across products from Apple, Kentico, Microsoft, and Oracle. These critical flaws—ranging from authentication bypasses in Kentico Xperience to a server-side request forgery in Oracle E-Business Suite and improper SMB access control in Microsoft Windows—are being leveraged by threat actors to gain unauthorized access, escalate privileges, or exfiltrate data. The directive mandates federal agencies to urgently remediate these risks to safeguard the federal enterprise and critical infrastructure from rapidly evolving threats.
The continued expansion of the KEV Catalog highlights the persistent challenge organizations face in tracking and rapidly remediating high-impact vulnerabilities, especially as exploit techniques become more sophisticated and widely disseminated. The urgency is underscored by both regulatory pressure and the increase in observed exploitation campaigns targeting these vulnerabilities across public and private sectors.
Why This Matters Now
This update to the CISA KEV Catalog is crucial as it reflects real-world, active exploitation of newly identified vulnerabilities that jeopardize key business applications and infrastructure. Failure to promptly remediate these critical weaknesses exposes organizations to heightened risk of compromise, regulatory noncompliance, and operational disruption.
Attack Path Analysis
Attackers exploited internet-facing applications with known vulnerabilities (e.g., CVE-2025-2746, CVE-2025-61884) to gain unauthorized entry. Upon initial compromise, adversaries escalated access by bypassing authentication controls or exploiting misconfigurations. They then moved laterally within the cloud environment, seeking additional assets or service access. Using the compromised infrastructure, they established command-and-control channels for ongoing control. Sensitive data was exfiltrated using covert or authorized channels. Finally, attackers impacted the business through methods such as data theft, potential ransomware deployment, or system disruption.
Kill Chain Progression
Initial Compromise
Description
Exploited public-facing services with known vulnerabilities (such as Kentico authentication bypass or Oracle SSRF) to obtain unauthorized access.
Related CVEs
CVE-2022-48503
CVSS 8.8Processing web content may lead to arbitrary code execution due to insufficient bounds checks.
Affected Products:
Apple iOS – 15.6
Apple iPadOS – 15.6
Apple macOS Monterey – 12.5
Apple Safari – 15.6
Apple tvOS – 15.6
Apple watchOS – 8.7
Exploit Status:
exploited in the wildCVE-2025-2746
CVSS 9.8Authentication bypass in Kentico Xperience's Staging Sync Server allows attackers to control administrative objects.
Affected Products:
Kentico Xperience – <= 13.0.172
Exploit Status:
exploited in the wildReferences:
https://devnet.kentico.com/download/hotfixeshttps://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2746https://www.vulncheck.com/advisories/kentico-xperience-staging-sync-server-digest-password-authentication-bypassCVE-2025-2747
CVSS 9.8Authentication bypass in Kentico Xperience's Staging Sync Server allows attackers to control administrative objects.
Affected Products:
Kentico Xperience – <= 13.0.178
Exploit Status:
exploited in the wildReferences:
https://devnet.kentico.com/download/hotfixeshttps://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0011https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-2747https://www.vulncheck.com/advisories/kentico-xperience-staging-sync-server-none-password-type-authentication-bypassCVE-2025-33073
CVSS 8.8Improper access control in Windows SMB allows an authorized attacker to elevate privileges over a network.
Affected Products:
Microsoft Windows SMB – unspecified
Exploit Status:
exploited in the wildReferences:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33073https://www.vicarius.io/vsociety/posts/cve-2025-33073-detection-script-improper-access-control-in-windows-smb-affects-microsoft-productshttps://www.vicarius.io/vsociety/posts/cve-2025-33073-mitigation-script-improper-access-control-in-windows-smb-affects-microsoft-productsCVE-2025-61884
CVSS 7.5Unauthenticated attacker can access critical data in Oracle Configurator via HTTP.
Affected Products:
Oracle Configurator – 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.2.13, 12.2.14
Exploit Status:
exploited in the wildReferences:
https://blogs.oracle.com/security/post/apply-july-2025-cpuhttps://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation of Remote Services
Valid Accounts
Modify Authentication Process
Network Sniffing
Brute Force
Trusted Relationship
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – Management of ICT-related risks
Control ID: Article 9 (ICT Risk Management)
CISA ZTMM 2.0 – Continuous Vulnerability Assessment
Control ID: Asset Management-3
NIS2 Directive – Addressing and managing risk posed by supply chain and vulnerabilities
Control ID: Article 21(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation requirements under BOD 22-01 for Apple, Microsoft Windows SMB, and Oracle vulnerabilities actively exploited by threat actors.
Information Technology/IT
IT infrastructure providers managing Apple products, Windows SMB clients, and Oracle E-Business Suite face critical authentication bypass and access control vulnerabilities requiring immediate patching.
Financial Services
Banking systems using Oracle E-Business Suite and Microsoft Windows environments vulnerable to SSRF attacks and improper access control exploits compromising sensitive financial data.
Health Care / Life Sciences
Healthcare organizations with Apple devices, Windows networks, and Oracle systems face HIPAA compliance risks from authentication bypass vulnerabilities enabling unauthorized patient data access.
Sources
- CISA Adds Five Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2025/10/20/cisa-adds-five-known-exploited-vulnerabilities-catalogVerified
- Apple Security Updateshttps://support.apple.com/en-us/HT213340Verified
- Microsoft Security Update Guidehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073Verified
- Oracle Critical Patch Update Advisory - July 2025https://www.oracle.com/security-alerts/alert-cve-2025-61884.htmlVerified
- Kentico Xperience Hotfixeshttps://devnet.kentico.com/download/hotfixesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, east-west traffic security, inline IPS, egress policy enforcement, and multicloud visibility would have collectively contained attacker movement, detected abnormal activity, and limited the potential for data exfiltration or operational impact.
Control: Inline IPS (Suricata)
Mitigation: Real-time prevention of known exploit attempts targeting vulnerable services.
Control: Zero Trust Segmentation
Mitigation: Restricted unauthorized privilege escalation attempts via least-privilege access control.
Control: East-West Traffic Security
Mitigation: Detection and blocking of unauthorized lateral movement attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized outbound C2 traffic.
Control: Multicloud Visibility & Control
Mitigation: Alerted on and prevented anomalous exfiltration attempts.
Rapid detection and containment of malicious activity at scale.
Impact at a Glance
Affected Business Functions
- IT Operations
- Customer Service
- Sales
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive customer data, including personal and financial information, due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Prioritize immediate patching of all known exploited vulnerabilities, especially those listed in CISA KEV.
- • Deploy Zero Trust Segmentation and microsegmentation to tightly control workload-to-workload access and reduce lateral movement risk.
- • Implement inline intrusion prevention and real-time traffic inspection at all cloud ingress and egress points.
- • Enforce strict outbound (egress) controls, including FQDN filtering and anomaly-based detection, to prevent data exfiltration and C2 communications.
- • Continuously monitor multicloud environments with centralized visibility, alerting, and automated response through distributed security fabric.
