CISA Adds Multiple Actively Exploited Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding seven high-impact vulnerabilities that are currently being exploited in the wild. This update includes critical flaws affecting Oracle E-Business Suite, Mozilla Firefox, Thunderbird, SeaMonkey, Microsoft Windows, Microsoft Internet Explorer, the Linux Kernel, and Microsoft Windows privilege escalation mechanisms. Among the most severe is CVE-2025-61882, a remotely exploitable vulnerability in Oracle E-Business Suite’s BI Publisher Integration, which allows unauthenticated attackers to compromise the Oracle Concurrent Processing component via HTTP. This flaw, rated CVSS 9.8, has been actively exploited in ransomware campaigns, notably by the Cl0p ransomware group, leading to data theft and potential remote code execution. Oracle responded by releasing an emergency patch for affected versions 12.2.3 through 12.2.14, and organizations are urged to apply this fix immediately and monitor for suspicious HTTP traffic targeting BI Publisher endpoints.

Another addition, CVE-2010-3765, is a memory corruption vulnerability in Mozilla products, including Firefox, Thunderbird, and SeaMonkey, which can be exploited via JavaScript to execute arbitrary code. This flaw has been leveraged by the "Belmoo" malware in real-world attacks. Microsoft vulnerabilities added to the catalog include CVE-2011-3402, a TrueType font parsing flaw in the Windows kernel (win32k.sys) that enables remote code execution through malicious font files, and CVE-2010-3962, an uninitialized memory corruption issue in Internet Explorer. CVE-2013-3918, another Microsoft Windows vulnerability, was originally used in the 2009 Aurora attack and later repurposed by the EQUATION group to target government users in Afghanistan. The Linux Kernel vulnerability CVE-2021-22555, a heap out-of-bounds write, and CVE-2021-43226, a Windows privilege escalation flaw, are also included due to their active exploitation and potential for significant impact.

CISA’s KEV catalog serves as a critical resource for organizations, highlighting vulnerabilities that require urgent attention due to their exploitation in real-world attacks. Federal agencies are mandated to address these vulnerabilities within a defined timeframe under Binding Operational Directive (BOD) 22-01. The inclusion of both recent and older vulnerabilities underscores the persistent risk posed by unpatched systems, as threat actors continue to exploit legacy flaws alongside newly discovered ones. Security experts emphasize the importance of immediate patching, robust monitoring, and comprehensive vulnerability management to mitigate the risks associated with these actively exploited vulnerabilities. The update reflects ongoing efforts by CISA to enhance the security posture of federal and enterprise environments by ensuring that known exploited vulnerabilities are promptly addressed. Organizations are advised to review the KEV catalog regularly, prioritize remediation of listed vulnerabilities, and implement additional security controls where patching is not immediately feasible. The addition of these vulnerabilities highlights the evolving threat landscape and the need for continuous vigilance against both new and longstanding security weaknesses. CISA’s proactive approach aims to reduce the attack surface and limit the opportunities for threat actors to compromise critical infrastructure. The agency’s guidance is particularly relevant for entities operating Oracle E-Business Suite, Microsoft products, and Linux systems, given the active exploitation of these platforms. The KEV catalog update serves as a call to action for all organizations to assess their exposure and take decisive steps to protect their assets from ongoing cyber threats.