CISA alert: 5 dangerous software flaws are being exploited right now

CISA has just confirmed that five new vulnerabilities are actually being used to attack systems in the real world. These aren't hypothetical problems or ones that MIGHT become a problem. No, these are live attacks using hacked flaws, weaponized and targeting the exact business software and government networks that your company & government use. If you're running any of the usual enterprise platforms, content management sites, Windows systems, or older Apple devices in your business, then you need to act fast: any delay in patching can literally bring down your whole system in a matter of minutes.

Oracle EBS hit by critical RCE and SSRF bugs

CISA is warning that Oracle EBS is being exploited by a critical RCE and SSRF vulnerability.

CVE-2025-61884 is a Server Side Request Forgery (SSRF) vulnerability that CISA has confirmed is being used against real companies & businesses out there. This one's in the runtime part of the Oracle Configurator program with a CVSS score of 7.5, and CISA warns it's an "attack that can be launched remotely with no need to log in."

Also on the FBI's list of vulnerabilities is CVE-2025-61882, a 9.8-rated extreme remote command execution (RCE) vulnerability in the same Oracle E-Business Suite software, a full, unauthenticated breach that we know already exploited dozens of companies earlier this month.

“At this time, we are not able to attribute any specific exploitation activity to a specific actor, but it’s likely that at least some of the exploitation activity we observed was conducted by actors now conducting Cl0p-branded extortion operations,” said Zander Work, Senior Security Engineer at Google Threat Intelligence Group.

Microsoft SMB Client flaw allows privilege escalation

CVE-2025-33073 (CVSS 8.8) affects Microsoft Windows SMB Client. It allows privilege escalation under certain conditions. Microsoft patched in June 2025. If you’re behind on updates, this is your flag. In the KEV catalog, it means active exploitation is already happening. Don’t get burned.

Kentico CMS staging sync has two auth bypass bugs

Two vulnerabilities in Kentico Xperience CMS were added to the KEV list:

• CVE-2025-2746 (CVSS 9.8): An auth bypass because Staging Sync Server doesn’t handle empty SHA1 usernames in digest authentication correctly

• CVE-2025-2747 (CVSS 9.8): Another auth bypass because the server defined the None type

Both were fixed in March 2025. But if you haven’t updated, you’re at risk.

Apple’s JavaScriptCore bug hits legacy iPhones and Macs

CVE-2022-48503 (CVSS 8.8) is a code execution vulnerability in Apple’s JavaScriptCore engine. The bug is an array index validation issue. Malicious web content can exploit it to run arbitrary code. Apple fixed this in July 2022, but older devices and unpatched systems are still vulnerable. This is a classic long-tail vulnerability risk.

Why you should care: The attack surface is big and getting bigger

This isn’t a niche threat. These five CVEs hit everything from business apps to CMS platforms to core Windows components. Here’s the breakdown:

• Oracle EBS bugs give attackers an unauthenticated RCE path and data access through SSRF.

• The SMB flaw enables lateral movement inside networks.

• The Kentico pair lets attackers take over CMS environments used for staging and publishing.

• The Apple vulnerability shows the ongoing risk of legacy systems that missed critical patches.

Ransomware loves this kind of attack surface.

Government Mandates a Deadline of November 10, 2025 - Don't Wait Until the Last Minute

FCEB agencies are being told to patch the five vulnerabilities by November 10, 2025 - but as far as we're concerned, thats no reason to put off getting started even a single day longer. And let's be clear about this: threat actors never have deadlines, and it's not like they'll suddenly decide to take a break while everyone else gets their affairs in order.

Action Required NOW: Patch, Restrict Access, Monitor & Repeat

Here's what needs to happen ASAP:

Get auditing those patches, pronto:

• Oracle E-Business Suite : you need to cover CVE-2025-61882 and CVE-2025-61884

• Microsoft Windows : the June 2025 update for CVE-2025-33073 is still outstanding

• Kentico CMS : don't forget those March 2025 patches for CVE-2025-2746 and CVE-2025-2747

• Apple JavaScriptCore : the patch from July 2022 for CVE-2022-48503 still needs to be applied

Reduce your exposure:

• Lock down access to those sensitive admin panels in Oracle EBS and Kentico

• Limit the flow of SMB traffic - we don't want it streaming freely across your internal networks

• Multi-factor auth for all admin logins - it's the least you can do

Hunt for those nasty indicators:

• Look for weird patterns in Oracle EBS requests - could be a SSRF issue

• See if there are any spikes in SMB share privileges & check Kentico logs for anything fishy

• Browser logs are the place to look for JavaScriptCore crashes or just weird execution

Close the gaps:

• Get a handle on which systems are out of date, hidden away, or flying under the radar

• Don't forget those remote offices & partner systems - we've got a feeling patches are just sitting there waiting to be installed

Bottom line: These threats are real, active, and already inside some networks

These five vulnerabilities are active exploits in the wild right now, and some organizations have already been impacted (or potentially impacted). Patching should be your next focus. Validate coverage across all environments, and look for signs of compromise via your logs and endpoints.

Attackers are not waiting, so don’t let your organization be their next easy target.

More For You

The Invisible Hacker: LinkPro Rootkit Turns Linux’s Own Power Against Itself

Microsoft’s 170 Fix Blitz: Two Windows Zero-Days Hit

Inside Oracle's zero-day chaos: how Clop rewrote the ransomware rulebook

Hackers exploit Notepad hijacking bug to gain control of Windows PCs

Cisco ASA zero day exploit puts global networks at risk as Duo users targeted