KEV Updates Seven Vulnerabilities: Legacy CVEs and Oracle EBS RCE

CISA’s Known Exploited Vulnerabilities (KEV) Catalog grew again this week when the agency added seven vulnerabilities to the list — a mix of decade‑old, well‑documented browser and Windows flaws, a high‑impact Linux kernel bug, and a freshly disclosed Oracle E‑Business Suite remote code execution issue that has already seen active abuse in the wild. The additions underscore a persistent pattern: attackers continue to weaponize both legacy CVEs and modern enterprise flaws, and the presence of these entries in KEV converts that intelligence into an operational mandate for federal agencies and a high‑priority action item for the private sector.

Background / Overview​

CISA’s KEV Catalog is the operational "hot list" of Common Vulnerabilities and Exposures that the agency has determined are being actively exploited and therefore present significant risk to the federal enterprise. The catalog was created under Binding Operational Directive 22‑01 (BOD 22‑01), which requires Federal Civilian Executive Branch (FCEB) agencies to remediate cataloged CVEs on accelerated timelines: generally two weeks for CVEs assigned in 2021 or later, and six months for older CVEs — timelines that can be shortened if a vulnerability poses a grave risk. That directive turns threat intelligence into enforceable operational work for federal agencies, while also serving as a de‑facto priority guide for the private sector.
The seven CVEs added in the latest update are:

• CVE‑2010‑3765 — Mozilla multiple‑product remote code execution (historical browser exploit)
• CVE‑2010‑3962 — Microsoft Internet Explorer uninitialized memory corruption (RCE)
• CVE‑2011‑3402 — Microsoft Windows TrueType font parsing remote code execution (Duqu era)
• CVE‑2013‑3918 — Microsoft Windows Out‑of‑Bounds write (InformationCardSigninHelper ActiveX)
• CVE‑2021‑22555 — Linux kernel heap out‑of‑bounds write (netfilter / x_tables)
• CVE‑2021‑43226 — Microsoft Windows privilege escalation (CLFS driver)
• CVE‑2025‑61882 — Oracle E‑Business Suite unspecified vulnerability (remote, unauthenticated RCE; recently observed in extortion campaigns).

Below is a technical breakdown of each entry, why they matter today, recommended mitigation and detection steps, and an assessment of how these additions affect federal and enterprise defenders.

---

Why legacy CVEs still matter: the 2010–2013 entries​

CVE‑2010‑3765 — Mozilla multiple‑product RCE (Firefox/Thunderbird/SeaMonkey)​

CVE‑2010‑3765 is a heap corruption flaw in older versions of Mozilla Firefox and related clients that was exploited in 2010 by the Belmoo campaign. Although the affected product versions are long out of support for most organizations, the vulnerability remains worth cataloging because attackers often target legacy, unmanaged systems and appliances that embed outdated browser engines or libraries. Public CVE and vendor records document the original exploit chain and the memory‑corruption root cause, confirming active exploitation at the time of disclosure.
Risk and operational impact

• High for unmanaged or embedded environments that still run outdated browser engines (appliances, kiosks, VM golden images).
• Low for fully‑patched, modern Windows/macOS systems that run current browsers.

Recommended actions

• Inventory all systems and appliances that host or bundle browser engines (including thin clients and imaging systems).
• Replace or update systems that contain obsolete Firefox/SeaMonkey/Thunderbird builds.
• Apply network controls to isolate legacy appliances and add detection rules in web proxies for known exploit signatures.

CVE‑2010‑3962 — Internet Explorer uninitialized memory corruption (MS10‑090)​

Microsoft’s MS10‑090 advisory describes an uninitialized memory corruption in Internet Explorer that was exploited in the wild in 2010 and can allow remote code execution when a user views crafted content. This is a classic browser‑based RCE vector that historically powered watering‑hole attacks and drive‑by exploits. Microsoft’s security bulletin outlines the exploitation path and the high severity of the issue.
Why this stays on KEV

• Internet‑facing endpoints and legacy web applications that rely on aged IE/Trident components remain frequent targets.
• Tooling that performs automated exploitation against exposed endpoints can pivot from old browser bugs when they find legacy stacks.

Mitigations

• Remove Internet Explorer or disable its engine where possible; enforce modern browsers.
• Harden endpoint browser sandboxing and minimize privileged contexts for browsing.
• Block known exploit payload patterns in content‑inspection devices and monitor endpoint telemetry for suspicious memory corruption traces.

CVE‑2011‑3402 — TrueType font parsing bug (Duqu)​

CVE‑2011‑3402 is the kernel‑level TrueType font parsing vulnerability exploited during the Duqu incidents in late 2011. Microsoft published advisories describing how crafted font data embedded in documents or web content could trigger kernel memory corruption and remote code execution via win32k.sys. It is historically significant because the exploit chain targeted Windows kernel subsystems and was used in high‑value targeted intrusions.
Why CISA would flag it now

• Evidence of ongoing, real‑world exploitation — or newly discovered exploit code — can push a legacy CVE back into KEV.
• The vulnerability is attractive to attackers when privileged document‑processing servers (e.g., document converters, mail gateways) still run unpatched Windows kernels.

Remediation checklist

• Confirm all Windows hosts have received and installed the Microsoft security updates addressing the flaw.
• Harden document processing paths and sandbox document‑rendering components.
• Monitor file‑ingestion systems for anomalies, and hunt for known exploit artifacts tied to Duqu‑style samples.

CVE‑2013‑3918 — InformationCardSigninHelper ActiveX out‑of‑bounds write​

The InformationCardSigninHelper ActiveX control (icardie.dll) was abused in IE‑hosted watering‑hole attacks in 2013. The vulnerability allows an out‑of‑bounds write leading to remote code execution when IE opens a crafted page. Microsoft addressed the issue in its November 2013 security updates; public tracking pages document the exploit and remediation.
Defender actions

• Remove or block legacy ActiveX controls and restrict Internet Explorer usage via group policy.
• For environments that must support legacy ActiveX, implement application whitelisting and use isolation (AppContainer, virtualized browser sessions).
• Add IDS/IPS signatures for the historical exploit traffic and hunt for signs of past compromise.

---

The modern kernel and Windows privilege‑escalation entries​

CVE‑2021‑22555 — Linux kernel heap out‑of‑bounds write (netfilter / x_tables)​

This is a local privilege‑escalation / DoS vulnerability in the Linux kernel’s netfilter x_tables code that allows an out‑of‑bounds write on the heap. The flaw affects kernel versions dating back years and was patched in mid‑2021; major distributions published advisories and fixes at the time. The vulnerability allows unprivileged local users to corrupt kernel memory and potentially achieve elevation or crash hosts, and public advisories from NVD, Ubuntu, Red Hat and others document both the technical root cause and the availability of patches.
Why it’s on KEV now

• KEV is populated by evidence of exploitation; if defenders observe in‑the‑wild privilege‑escalation activity leveraging this kernel bug (for local privilege gains or post‑exploit persistence), CISA will add it even though the bug’s initial disclosure occurred in 2021.
• Linux hosts that permit untrusted local code execution (e.g., weak container isolation, exposed developer VMs, shared hosting) remain high‑risk.

Mitigation & detection

• Apply vetted kernel updates from your distribution immediately; vendors published patched kernels in 2021 and later backports for enterprise distros.
• Harden container runtimes: enable user namespaces, seccomp filters, AppArmor/SELinux policies and avoid running container workloads as root when possible.
• Hunt for suspicious kernel exploits by monitoring for unexpected crashes, kernel oops messages, and privilege‑escalation indicator patterns; collect audit logs and correlate local process escalation attempts.

CVE‑2021‑43226 — Windows Common Log File System (CLFS) privilege escalation​

CVE‑2021‑43226 affects the Windows Common Log File System driver and enables local privilege escalation when exploited by a low‑privilege process. Microsoft documented the vulnerability and released guidance and patches in late 2021; public vulnerability databases and vendor advisories provide details on affected Windows builds and mitigation KBs. Attackers often chain these LPEs with remote footholds to gain SYSTEM level control, making even "local" bugs highly consequential in post‑exploit scenarios.
Operational guidance

• Apply Microsoft’s security updates across all Windows hosts according to the vendor KBs listed for CVE‑2021‑43226.
• Limit local administrator rights and implement just‑in‑time elevation workflows to reduce lateral abuse of LPEs.
• Use endpoint detection tools to detect suspicious token duplications, new service creation, or unexpected registry modifications.

---

NEW: CVE‑2025‑61882 — Oracle E‑Business Suite remote code execution (recent, active exploitation)​

Oracle released a Security Alert for CVE‑2025‑61882 affecting Oracle E‑Business Suite versions 12.2.3–12.2.14, describing an unauthenticated remote code execution vulnerability and providing patches; Oracle’s advisory explicitly states the vulnerability may be exploited over a network without credentials and includes mitigation instructions and IOCs. Independent reporting and sector advisories (for example, H‑ISAC) indicate the flaw has been observed in extortion and data theft campaigns, and the earliest vendor advisory revision appeared on October 4, 2025. Given the unauthenticated RCE nature and reported active exploitation, CISA’s decision to add this CVE to KEV (and to highlight it publicly) elevates the operational priority for both federal and private environments that run E‑Business Suite.
Why this one is urgent

• Oracle EBS is widely used in finance, procurement, HR and other processes that hold business‑critical and sensitive data.
• The vulnerability is remotely exploitable without credentials and was reportedly used in early extortion campaigns — a typical pattern for adversaries targeting high‑value enterprise applications.

Immediate actions for Oracle EBS operators

• Apply Oracle’s Security Alert patches per the vendor’s instructions without delay and confirm prerequisites (the advisory lists the October 2023 Critical Patch Update requirement).
• If immediate patching is not possible, implement temporary mitigations (network segmentation, WAF rules blocking relevant endpoints, disable unused services) and increase monitoring of EBS interfaces and audit logs.
• Hunt for Indicators of Compromise provided by Oracle and shared by sector ISACs; collect network traffic and system logs for retrospective analysis.

Caveat on the CISA alert retrieval

• During verification, the agency’s Oct 6, 2025 CISA alert page could not be fetched directly due to access restrictions from the crawler used, but the Oracle advisory, ISAC bulletins, and CISA’s KEV/BOD documentation corroborate the situation and the urgency of the Oracle issue. Readers should consult the official CISA KEV catalog and vendor advisories for the authoritative advisory text and remediation deadlines.

---

What this means for federal agencies — and why private sector should care​

BOD 22‑01 makes inclusion in the KEV Catalog a binding operational signal for Federal Civilian Executive Branch agencies: remediate listed vulnerabilities according to the catalog‑specified timeline (two weeks for current CVEs, six months for older ones, unless CISA sets a different deadline). That converts threat intelligence into prioritized work queues, automated reporting obligations (via the CDM Federal Dashboard), and, in some cases, enforcement actions if agencies do not comply. The practical consequence is that when a CVE lands in KEV, it moves from “triage” to “mission critical” for any federal IT organization.
Why private sector organizations must treat KEV like a canary in the coal mine

• KEV entries are evidence‑based: attackers are already exploiting these issues. If you have the vulnerable technology in your environment, assume you are at immediate risk.
• Attackers often scan broadly using automated tooling; a single exposed service (Oracle EBS, a web server with an old IE engine, or an unpatched Linux host) can be the pivot that compromises an entire supply chain.
• Even when BOD 22‑01 does not apply to a private company, KEV entries should inform corporate vulnerability management SLAs and patch‑priority rules.

---

Practical remediation guidance for Windows administrators and IT teams​

• Inventory and classify assets
• Use automated discovery to list all instances of Oracle EBS, Linux kernel variants, Windows versions, and browser/ActiveX components.
• Tag assets that host business‑critical data or have internet exposure for immediate remediation.
• Apply vendor updates and verify patch status
• For Oracle EBS, follow Oracle’s Security Alert process and apply the provided patches; ensure patch prerequisites are met.
• For Windows CVEs (2010–2013, 2021), apply vendor KBs or verify that systems are off modern‑support lists and isolated.
• For Linux kernel fixes, apply distribution vendor kernels (Red Hat, Ubuntu, SUSE) that include the 2021 patches or later backports.
• Prioritize by exposure and exploitability
• Treat unauthenticated RCEs and widely exploited CVEs as top priority (Oracle EBS RCE is a prime example).
• For local privilege escalations or kernel LPEs, prioritize hosts that allow untrusted local code execution (CI/CD runners, multi‑tenant servers, developer workstations).
• Harden and contain
• Network segmentation: isolate critical applications like EBS behind restricted networks and WAFs.
• Principle of least privilege: reduce local accounts’ privileges and avoid running services as root/Administrator.
• Application whitelisting and endpoint protections: block unknown binaries and monitor for anomalous process creation.
• Detect and hunt
• Deploy detection rules for known exploit artifacts and IOCs from vendors and ISACs.
• Correlate telemetry (EDR, Sysmon, kernel logs, web gateway) to detect successful exploit attempts and lateral movement.
• Retrospectively scan logs for suspicious activity dating back to initial disclosure windows.
• Document and report
• For federal agencies, report remediation status through CDM Federal Dashboard as required by BOD 22‑01.
• For private organizations, embed KEV items into your vulnerability remediation SLAs (e.g., 48–72 hour patch window for unauthenticated RCEs).

---

The strengths and limits of KEV as a risk‑reduction tool​

Strengths

• KEV converts observed exploitation into clear operational priorities and timelines, which helps organizations focus scarce resources on the highest‑risk items.
• Public vendor advisories and ISAC bulletins commonly accompany KEV additions, enabling coordinated patch and detection efforts across sectors.

Risks and limitations

• KEV is necessarily reactive: it lists CVEs after exploitation evidence exists. Organizations still need proactive risk management to defend against novel zero‑days and supply‑chain threats.
• Some entries are legacy CVEs; agencies may face non‑trivial operational friction patching or replacing embedded systems that cannot be updated easily.
• KEV does not replace vendor‑specific prioritization: some vendors may issue more aggressive timelines or workarounds depending on their customer base and exposure.

Unverifiable or caveated claims

• At the time of writing, direct fetching of CISA’s Oct 6 alert page encountered access restrictions from the verification tools used here; however, vendor advisories (Oracle), sector ISACs, and CISA’s documented KEV/BOD processes corroborate the catalog addition and its operational consequences. Readers should consult the KEV catalog and vendor advisories directly for the authoritative posting and the exact remediation due dates for each CVE.

---

Action checklist — immediate priorities (for CISOs and Windows/Unix admins)​

• Patch now: prioritize Oracle’s CVE‑2025‑61882 patch and Linux kernel updates for systems exposed to untrusted users.
• Inventory legacy browsers and IE/ActiveX dependencies; plan for removal or isolation.
• Harden endpoints and server privilege models to reduce the blast radius of LPEs like CVE‑2021‑43226.
• Deploy detection: ingest Oracle and vendor IOCs, and add network/web gateway signatures that catch known exploit payloads.
• Segment and block: place high‑value applications (EBS, document servers) behind firewalls and WAFs; restrict access to trusted networks only.
• Document and report: federal agencies must report per BOD 22‑01 timelines; private organizations should replicate similar SLAs internally.

---

Final assessment and risk outlook​

CISA’s KEV additions are a reminder that the attack surface is both historical and contemporary: adversaries will continue to exploit old vulnerabilities when they find unpatched systems, and they will rapidly weaponize new enterprise flaws. The recent inclusion of CVE‑2025‑61882 (Oracle E‑Business Suite) alongside aged but still‑dangerous issues illustrates this duality. For defenders, the practical takeaway is simple and unforgiving: inventory, patch, isolate, and monitor — and treat KEV entries as immediate, high‑priority tasks that should influence corporate patch SLOs and incident response plans.
KEV turns intelligence into action. Those responsible for enterprise security must ensure their vulnerability management processes are equally operationalized: short remedial windows, automated discovery and patching pipelines, and the ability to hunt rapidly when an asset can’t be patched immediately. The cost of inaction — whether from operational inertia, legacy dependencies, or neglect — is no longer hypothetical.

---

Source: CISA CISA Adds Seven Known Exploited Vulnerabilities to Catalog | CISA