The United States Cybersecurity & Infrastructure Security Agency has added five previously disclosed vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a worrying server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite.
Multiple companies and analysts had been warning of the exploitation of CVE-2025-61882 since it was first disclosed on October 4, but CISA has warned of hackers taking advantage of CVE-2025-61884, which was published days later on October 12.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
Keep me signed in on this device.
If you check this box before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later.
If you check the box above before you log in, you won’t have to log back into the website next time you return, even if you close your browser and come back later.
JavaScript is required for CAPTCHA verification to submit this form.
Create free account to get unlimited news articles and more!
First Name
Last Name
Mobile
Organisation Type
By becoming a member, I agree to receive information and promotional messages from Cyber Daily.
I can opt out of these communications at any time.
For more information, please visit our
Privacy Statement.
Need help signing up? Visit the
Help Centre.
According to its CVE listing, CVE-2025-61884 is an “easily exploitable vulnerability” that can allow a malicious, unauthenticated attacker to compromise the Oracle Configurator via HTTP.
“Successful attacks of this vulnerability can result in unauthorised access to critical data or complete access to all Oracle Configurator accessible data,” the vulnerability’s CVE listing says.
CVE-2025-61884 has a CVSS score of 7.5, rating it as a High Severity vulnerability, and is present in versions 12.2.3 through 12.2.14.
“If successfully exploited, this vulnerability may allow access to sensitive resources,” Oracle said in its advisory.
“Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible.”
CVE-2022-48503 is a vulnerability that may lead to code execution in multiple Apple products; it is fixed, however, in the following versions: tvOS 15.6, watchOS 8.7, iOS 15.6 & iPadOS 15.6, macOS Monterey 12.5, and Safari 15.6. This is an older vulnerability, first disclosed in August 2023.
CVE-2025-2746 and CVE-2025-2747 both impact Kentico Xperience Staging Sync Server. Both are authentication bypass vulnerabilities that could lead to an attacker controlling administrative objects. The first method is via password handling of empty SHA1 usernames, while the second is via component password handling for the server-defined None type.
These flaws date back to March 2025, and both score a Critical Severity CVSS rating of 9.8. The vulnerabilities impact versions 0 through 13.0.172 in the first case, and 0 through 13.0.178 in the second.
Finally, CVE-2025-33073 is a High Severity (CVSS Score of 8.8) elevation of privilege vulnerability in the Windows SMB Client disclosed in June of this year. It impacts multiple OS and Server versions of Windows, which can be found here.
