The US Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog—all of which are known to have been exploited in the wild.
CVE-2022-48503 affects multiple Apple products which, when processing web content, enables attackers to carry out arbitrary code execution. The flaw has been addressed in tvOS 15.6, watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5, Safari 15.6.
CVE-2025-2746 is a critical authentication bypass vulnerability (CVSS 9.8) affecting all Kentico Xperience versions up to 13.0.172. A flaw in the Staging Sync Server enables threat actors to bypass authentication, enabling them to control administrative objects.
CVE-2025-2747 is a second critical authentication bypass vulnerability (CVSS 9.8) within Kentico Xperience, but this flaw affects all versions up to 13.0.178.
According to Piotr Bazydlo, the watchTowr researcher that discovered the Kentico Xperience flaws, they can be used to gain “full control over the CMS.”
“Combined with the post-auth RCE vulnerability that we’ve highlighted, it should be unequivocally obvious that these vulnerabilities can be trivially chained for RCE,” Bazydlo adds.
Kentico has released hotfixes for both vulnerabilities, which can be applied using the Kentico Xperience Installation Manager utility. According to Kentico, hotfixes are cumulative, so users should apply the latest hotfix available for their Kentico Xperience version.
CVE-2025-33073 is a high-severity privilege escalation vulnerability (CVSS 8.8) affecting all Microsoft Windows Server and Windows 10 versions, and well as Windows 11 versions up to 24H2. The vulnerability stems from an improper access control in Windows SMB that enables attackers to gain system privileges over a network.
“The attacker could convince a victim to connect to an attacker controlled malicious application (for example, SMB) server. Upon connecting, the malicious server could compromise the protocol,” Microsoft explained. “This could result in elevation of privilege.”
CVE-2025-61884 is a high-severity vulnerability (CVSS 7.5) affecting Oracle E-Business Suite versions 12.2.3-12.2.14. The easily-exploitable flaw enables attackers to gain complete access to critical Oracle Configurator data—without having to authenticate over the network via username and password.
According to CISA, each of the five vulnerabilities is being actively exploited, and they pose “significant risks” to the federal enterprise.
Urgent Remediation Required
Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive (BOD) 22-01 to remediate the five vulnerabilities by November 10th, to protect their networks against active threats.
Though remediation is only explicitly required of FCEB agencies, CISA is urging all organizations—including those in the private sector—to patch these flaws and upgrade to the newest available versions of each product as soon as possible.
