CISA Adds Five Exploited CVEs to KEV Catalog: Urgent Patch Guidance

CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog — a move that instantly elevates them into the highest operational priority for federal agencies and a de‑facto urgent patching signal for enterprises. The five entries highlighted in the recent update are: CVE‑2022‑48503 (Apple multiple products, WebKit/JavaScriptCore), CVE‑2025‑2746 and CVE‑2025‑2747 (Kentico Xperience — Staging Sync Server authentication bypasses), CVE‑2025‑33073 (Microsoft Windows SMB Client improper access control/elevation), and CVE‑2025‑61884 (Oracle E‑Business Suite Server‑Side Request Forgery / information disclosure). These are not theoretical scores on a CVSS chart — each was added to KEV because of evidence of active or credible in‑the‑wild exploitation, and that changes how security teams must triage them.

---

Background / Overview​

CISA’s Known Exploited Vulnerabilities (KEV) Catalog exists to convert telemetry and credible incident reporting into operational deadlines under Binding Operational Directive (BOD) 22‑01. When CISA places a CVE in KEV, Federal Civilian Executive Branch (FCEB) agencies must remediate or mitigate it within the timeline specified in the catalog — effectively turning threat intelligence into mandatory workstreams — and private‑sector defenders are strongly urged to adopt the same urgency. The KEV designation therefore functions as both a policy instrument and an operational prioritization signal: these vulnerabilities are being weaponized now.
Why that matters: attackers prioritize easy, high‑impact wins. Known exploited flaws are the most efficient path to compromise for ransomware groups, financially motivated threat actors, and some state actors. KEV items reduce signal‑to‑noise for busy vulnerability management programs by flagging the subset of CVEs where proof of exploitation or credible telemetry exists. Treat them as triage redlines.

---

What was added — quick technical summaries​

Below are concise technical summaries, exploitation status, and immediate remediation advice for each of the five CVEs CISA flagged. Each entry is cross‑checked against vendor advisories, NVD entries, and independent security vendor writeups.

CVE‑2022‑48503 — Apple multiple products (WebKit / JavaScriptCore)​

• What it is: A memory‑corruption / bounds‑check issue in JavaScriptCore (WebKit) that could allow arbitrary code execution when processing specially crafted web content. Affected products historically included Safari and multiple Apple OS releases prior to the security updates.
• Exploitation: This class of WebKit issues has historically attracted in‑the‑wild exploitation; the flaw was fixed in Apple security updates (iOS/macOS/tvOS/watchOS/Safari versions noted in vendor advisories). Administrators and users should assume successful exploitability on unpatched hosts.
• Immediate action: Update Apple platforms and Safari to the vendor‑released security updates (the specific OS and Safari build numbers are listed in Apple advisories and NVD). Where direct updating is not immediately possible, block or restrict access to untrusted websites and treat browsers as high‑risk attack surface.

CVE‑2025‑2746 & CVE‑2025‑2747 — Kentico Xperience Staging Sync Server authentication bypasses​

• What they are: Two critical authentication‑bypass vulnerabilities in the Staging Sync Server component of Kentico Xperience. CVE‑2025‑2746 involves digest authentication handling of empty SHA‑1 password cases; CVE‑2025‑2747 stems from improper handling of a None password type in SOAP UsernameToken flows (WSE 3.0 related). Both allow remote attackers to bypass authentication and control administrative objects — a direct path to content tampering and, when chained with post‑auth flaws, full remote code execution.
• Exploitation: Public technical writeups and proof‑of‑concepts have circulated; security researchers demonstrated chaining of these bypasses with file‑upload/post‑auth bugs to achieve RCE. NVD and independent advisory pages rate both as critical (CVSS ≈ 9.8).
• Immediate action: Apply the official Kentico hotfixes immediately. If patching is delayed, disable the Staging Sync Server or restrict it to trusted internal IP ranges and require certificate‑based authentication. Where possible, switch staging authentication to X.509 (certificate‑based) to eliminate the vulnerable SOAP username/password paths.

CVE‑2025‑33073 — Microsoft Windows SMB Client improper access control / elevation​

• What it is: An improper access control flaw in the Windows SMB client implementation that can be abused by an attacker‑controlled SMB server to coerce a client into authenticating and escalate privileges to SYSTEM on the client. The vulnerability matters because SMB is used pervasively in Windows environments for file/print services, IPC, and various protocols that can be tricked into initiating SMB connections.
• Exploitation: Public reporting and Patch Tuesday notes indicate proof‑of‑concepts were published and the issue was patched by Microsoft in the June 2025 updates; multiple security vendors called it a high‑severity elevation‑of‑privilege and recommended urgent patching. Mitigations like enforcing SMB signing on servers reduce the attack surface but are not a substitute for the patch.
• Immediate action: Apply Microsoft’s June 2025 security updates. In parallel:
• Enforce SMB signing via Group Policy for servers that can accept SMB connections.
• Block or restrict outbound SMB (TCP 445) to untrusted external hosts.
• Monitor for unusual SMB authentication events, unexpected UNC path activity, or connections to new/unknown servers.

CVE‑2025‑61884 — Oracle E‑Business Suite (Oracle Configurator / Runtime UI) — SSRF / unauth info disclosure​

• What it is: A vulnerability affecting Oracle E‑Business Suite’s Configurator (Runtime UI) component that permits unauthenticated, remotely exploitable access leading to information disclosure or compromise of Configurator‑accessible data. Oracle classified the issue as exploitable without authentication and released an out‑of‑band Security Alert.
• Exploitation: Oracle released an immediate patch via its Security Alert program and published risk matrices; independent vendors and national CERTs confirmed the vulnerability’s severity and recommended emergency patching. News reports tied the timing of this advisory to increased targeting of EBS instances by extortion groups and opportunistic attackers.
• Immediate action: Apply Oracle’s Security Alert updates for the affected E‑Business Suite versions (12.2.3–12.2.14 and specified releases). If you have internet‑facing EBS instances, treat them as priority remediation targets: temporarily restrict external access, require additional network filtering, and perform forensic review of web access logs for signs of SSRF‑style abuse until patches are applied.

---

Why these additions should change your remediation priorities​

• KEV ≠ every CVE: KEV is intentionally conservative — only CVEs with evidence of active exploitation or strong telemetry are listed. When a CVE transitions from the generic vulnerability stream into KEV, the operational risk model changes: your “patch in 30 days” backlog becomes a two‑week (or earlier) emergency for federal entities and a high‑priority fix in corporate programs.
• Diversity of attack surface: The five flagged CVEs illustrate a recurring adversary pattern — mix old and new, across stacks: browser engines (WebKit), web‑facing business apps (Kentico, Oracle), and core OS protocols (SMB). Attackers exploit the weakest link — often an internet‑reachable management endpoint or an unpatched client component.
• Chained impact: Authentication bypass in a CMS or SSRF in an ERP can be the initial vector for data theft, then chained into code execution or lateral movement. SMB client flaws can be weaponized for privilege escalation and full host takeover once an initial foothold exists. KEV designations reflect that practical chaining observed in incident telemetry, not just theoretical severity.

---

Practical remediation playbook — prioritized, actionable steps​

Below is a short, prioritized playbook tailored for Windows/enterprise administrators and security teams to reduce risk quickly. Apply items in order, and escalate tickets based on asset criticality.

• Emergency patching (hours–days)
• Apply vendor patches immediately for the KEV‑listed CVEs (Apple OS/Safari updates for CVE‑2022‑48503; Kentico hotfixes; Microsoft June 2025 updates for CVE‑2025‑33073; Oracle Security Alert patches for CVE‑2025‑61884). Patching is the only reliable long‑term fix.
• Compensating controls when patching will be delayed (days)
• Kentico: disable or firewall the Staging Sync Server; require certificate‑based staging authentication.
• SMB: enforce SMB signing at server side via Group Policy; restrict outbound SMB (TCP 445) to untrusted networks.
• Oracle EBS: isolate internet‑facing EBS instances behind web application firewalls (WAFs), block HTTP access from untrusted sources, and apply strict allowlists.
• Apple/WebKit: reduce exposure by restricting untrusted web content, blocking risky web plugins, and applying corporate browser update policies.
• Detection & monitoring (days–weeks)
• Hunt for anomalous SMB connections, new UNC paths, or sudden LSA/Service account authentication patterns (SMB client coercion indicators).
• Audit Kentico staging endpoints for unauthorized requests and review staging task logs for unexpected changes.
• For Oracle EBS, analyze web server and application logs for unusual SSRF‑like requests and monitor for data exfiltration patterns.
• Incident response (as required)
• If evidence of exploitation is found: isolate affected hosts, collect full forensic artifacts (memory, disk, network captures), and engage legal/comms teams if data access is suspected. KEV additions imply exploitation risk; treat alerts accordingly.
• Long‑term fixes (weeks–months)
• Harden external management interfaces, adopt certificate‑based authentication where available, and implement least‑privilege and segmentation for all application management channels. Build the KEV catalog into vulnerability‑prioritization processes and SLA targets.

---

Detection and hunting suggestions (chunked, practical)​

• SMB client EoP (CVE‑2025‑33073)
• Search for outbound TCP/445 sessions from endpoints that are not known file servers.
• Detect unusual UNC paths or System process-level authentications that appear shortly after user‑level actions.
• Monitor for processes launching with SYSTEM after a network connection to an unfamiliar SMB host.
• Kentico Staging (CVE‑2025‑2746/2747)
• Hunt for SOAP UsernameToken requests missing <Password> elements or digest authentication exchanges showing anomalous empty SHA‑1 hashes.
• Monitor for staging tasks that create or modify administrative objects and correlate with IPs outside known staging sources.
• Oracle EBS (CVE‑2025‑61884)
• Look for HTTP requests with crafted parameters that generate internal HTTP calls (indicative SSRF) and check for successful 200 responses from internal services.
• Correlate web requests to sensitive Configurator pages with anomalous user sessions.
• WebKit / Safari (CVE‑2022‑48503)
• On endpoint agents, monitor for exploitation indicators involving browser crashes, unexpected child processes started from browser contexts, or use‑after‑free style anomalies in process telemetry. Prioritize browser update enforcement.

---

Assessing operational risk and program tradeoffs​

• Strengths of the KEV approach:
• Focuses scarce patching resources on actual exploitation — a pragmatic improvement over chasing every CVE with a high CVSS score.
• Provides federal agencies with legally backed deadlines, which improves patch uptake across critical infrastructure.
• Practical risks and friction:
• KEV deadlines can strain operations: emergency patches may cause service impacts if not validated, and legacy dependencies can complicate immediate remediation.
• Overreliance on KEV alone is dangerous: some critical, exploitable vulnerabilities may be exploited before CISA adds them to KEV. KEV should be one prioritization input among others (threat intel, asset criticality, exploitability metrics).
• Recommended governance adjustments:
• Integrate KEV listings into change‑control and emergency patch policies with pre‑approved risk windows and rollback plans.
• Maintain a short “accelerated remediation” lane (2–7 days) for KEV items with automated inventory and deployment playbooks that include rollback and smoke testing.

---

Vendor coordination and patch verification — an explicit checklist​

• Confirm patched versions via vendor advisories and NVD (do not rely solely on third‑party summaries).
• Apple: check Apple security release notes and update management portals for exact OS/Safari package numbers.
• Kentico: obtain Kentico hotfixes from official devnet/hotfix pages and validate installed version numbers (13.x build specifics depend on advisory).
• Microsoft: use the Microsoft Security Update Guide and monthly KBs (June 2025 Patch Tuesday) to identify and deploy the correct KB for each Windows build.
• Oracle: apply the specific Security Alert patches listed in Oracle’s advisory and the associated risk matrix pages.
• Validate patch deployment:
• Inventory — locate all instances of the affected software (servers, containers, appliances).
• Patch — schedule and apply vendor fixes in prioritized order.
• Verify — confirm version numbers and run functional smoke tests.
• Scan — run an authenticated vulnerability scan to confirm the CVE no longer appears.
• Monitor — observe logs and telemetry for at least two weeks post‑patch for signs of exploitation or regressions.

---

What defenders often miss (and how to avoid it)​

• Overfocusing on servers while neglecting clients: SMB client vulnerabilities emphasize that client software can be the escalation vector. Defenders must control both sides of common protocols — clients and servers — and limit client exposure to untrusted hosts.
• Forgotten management endpoints: CMS staging services or ERP admin consoles are often exposed during migrations or testing. Inventory and restrict these endpoints before anything else.
• Assuming “no active exploitation” = low risk: KEV exists precisely to flag those CVEs where exploitation has been observed. If a CVE is listed by CISA, treat it as actively dangerous until proven otherwise.

---

Conclusion — operational priorities for the next 72 hours​

• Treat KEV additions as emergency triage items. For the vulnerabilities cited in the latest batch — Apple WebKit (CVE‑2022‑48503), Kentico Xperience staging bypasses (CVE‑2025‑2746/2747), Windows SMB client EoP (CVE‑2025‑33073), and Oracle EBS SSRF (CVE‑2025‑61884) — the immediate three priorities are:
• Confirm exposure (inventory affected versions and internet‑facing instances).
• Patch (apply vendor fixes, starting with internet‑reachable and high‑value assets).
• Compensate (isolate, disable vulnerable services, enforce SMB signing, restrict access) until the patch is confirmed.

CISA’s KEV catalog is not a bureaucratic suggestion — it is an operational accelerant designed to reduce windows of exposure. Security teams should bake KEV‑driven workflows into their incident and patch‑management processes, and use the checklist and hunting suggestions above to turn urgency into measurable remediation outcomes.

---

Source: CISA CISA Adds Five Known Exploited Vulnerabilities to Catalog | CISA