Article Details

Five New Exploited Bugs Land in CISA's Catalog — Oracle and Microsoft Among Targets. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks. The security defect in question is CVE-2025-61884 (CVSS score: 7.5), which has been described as a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator that could allow attackers unauthorized access to critical data. "This vulnerability is remotely exploitable without authentication," CISA said. CVE-2025-61884 is the second flaw in Oracle EBS to be actively exploited along with CVE-2025-61882 (CVSS score: 9.8), a critical bug that could permit unauthenticated attackers to execute arbitrary code on susceptible instances. Earlier this month, Google Threat Intelligence Group (GTIG) and Mandiant revealed dozens of organizations may have been impacted following the exploitation of CVE-2025-61882. "At this time, we are not able to attribute any specific exploitation activity to a specific actor, but it's likely that at least some of the exploitation activity we observed was conducted by actors now conducting Cl0p-branded extortion operations," Zander Work, senior security engineer at GTIG, told The Hacker News last week. Also added by CISA to the KEV catalog are four other vulnerabilities - There are currently no details on how the aforementioned four issues are being exploited in the wild, although details about CVE-2025-33073, CVE-2025-2746, and CVE-2025-2747 were shared by researchers from Synacktiv and watchTowr Labs, respectively. Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by November 10, 2025, to secure their networks against active threats.