The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog — an explicit signal that these flaws are being used in real-world attacks and should be prioritized for remediation.

Below is a concise, practitioner-focused briefing on what was added, why it matters, and how to respond.

Oracle E-Business Suite SSRF — CVE-2025–61884

A critical server-side request forgery (SSRF) flaw in Oracle E-Business Suite's Configurator/Runtime component is now confirmed as exploited. The bug is remotely exploitable without authentication and can be used to coerce the application server into reaching internal services or metadata endpoints.

Why it matters: SSRF remains one of the most powerful exploitation techniques for lateral movement and internal data access. In Oracle E-Business Suite — often the backbone of core financial and operational workflows — the impact can be severe. The timing is notable, too: Oracle has been under fire in recent weeks for a string of high-impact flaws across its enterprise software portfolio, raising fresh concerns about patch cadence and internal code review practices.

What to do: Apply Oracle's latest security patches immediately across all EBS environments and validate that no administrative or configuration interfaces are exposed to the internet. Given the heightened scrutiny and active exploitation reports, security teams should also review historical logs for potential SSRF activity or unauthorized outbound requests.

Microsoft Windows SMB Client Privilege Escalation — CVE-2025–33073

This issue in the Windows SMB Client stems from improper access control and can enable privilege escalation once an attacker has local or network-adjacent footholds. SMB remains a common pathway for lateral movement in enterprise networks.

Why it matters: Attackers can chain this with initial access vectors to escalate privileges and expand reach across shares, workstations, and file servers.

What to do: Confirm the June 2025 Microsoft fixes are deployed everywhere (including VDI and lab images). Increase detection around anomalous SMB client behavior and suspicious token or ACL changes.

Kentico Xperience CMS Authentication Bypasses — CVE-2025–2746 & CVE-2025–2747

Two flaws in Kentico Xperience's Staging Sync Server allow attackers to sidestep authentication entirely — one via digest handling of empty SHA-1 usernames, the other via handling of a "None" password type.

Why it matters: Staging systems are often less monitored, yet directly influence content pipelines. A bypass here can translate to administrative takeover, content tampering, or backdoor placement that later propagates to production.

What to do: Apply Kentico's March 2025 fixes, restrict staging exposure, and enforce strong auth on synchronization endpoints. Add targeted detection for abnormal sync operations.

Apple JavaScriptCore Remote Code Execution — CVE-2022–48503

An older WebKit JavaScriptCore flaw resurfaces in the wild. Crafted web content can trigger arbitrary code execution on unpatched iOS and macOS devices.

Why it matters: The KEV addition underscores a persistent trend: "fixed" does not mean "gone" if legacy or unmanaged devices remain. Mobile fleets and BYOD programs are particularly exposed to outdated browsers and OS versions.

What to do: Re-baseline Apple device patch status — including long-lived kiosks and specialty endpoints — and block outdated WebKit where feasible. Monitor for browser exploitation telemetry.

Key Themes from the October 20 KEV Update

  • Old bugs remain lucrative: Years-old code paths (Apple JavaScriptCore) are still viable for threat actors when patch coverage lags.
  • Staging and integration paths are targets: The Kentico cases highlight how attackers exploit lower-visibility environments to gain durable access.
  • Internal pivot is the goal: SSRF in Oracle EBS and privilege issues in SMB clients map cleanly to lateral movement, credential access, and data theft.
  • KEV equals confirmed exploitation: Once CISA lists a CVE, treat it as an active risk, not a theoretical concern.

What Security Teams Should Do Now

Prioritize patching and hardening in environments running Oracle EBS, Windows with SMB Client exposure, Kentico Xperience, and Apple platforms that may be lagging on updates. Pair remediation with targeted detection rules, attack-surface reduction (e.g., removing public exposure of staging and admin paths), and explicit monitoring for SSRF indicators and anomalous SMB behavior.