Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five CVEs to its Known Exploited Vulnerabilities (KEV) catalog today, including Microsoft, Apple and Oracle vulnerabilities. The vulnerabilities flagged by CISA include: CVE-2022-48503, an 8.8-severity vulnerability in multiple Apple products that could lead to arbitrary code execution when processing web content. The issue was addressed with improved bounds checks. CVE-2025-33073, an 8.8-rated Microsoft Windows SMB Client Improper Access Control vulnerability that Microsoft had labeled as less likely to be exploited in its June Patch Tuesday update. CVE-2025-61884, a 7.5-severity Oracle E-Business Suite Server-Side Request Forgery (SSRF) vulnerability that Oracle issued an emergency patch for on October 11. CVE-2025-2746 and CVE-2025-2747, which are both 9.8-rated password authentication bypass issues in Kentico Xperience Staging Sync Server. Oracle Vulnerabilities Under Attack CISA doesn’t provide details on how vulnerabilities are being exploited, but the October 11 Oracle E-Business Suite CVE-2025-61884 vulnerability announcement followed an ongoing campaign by the CL0P ransomware group to exploit CVE-2025-61882, a 9.8-severity remote code execution (RCE) flaw in Oracle E-Business Suite that had reportedly been exploited at least since August 9, with “suspicious activity” occurring a month before that. CISA added CVE-2025-61882 to its KEV database on October 6. CVE-2025-61882 was reportedly weaponized by the CL0P ransomware group in a widespread extortion campaign that included a high volume of emails sent to executives at numerous organizations, claiming the theft of sensitive data from the victims’ Oracle E-Business Suite environments, according to Google Threat Intelligence. CL0P (aka CLOP) has since claimed at least four victims from the Oracle campaign on its Tor data leak site: Harvard University, American Airlines’ Envoy Air subsidiary, and two additional victims that remain unconfirmed. The Scattered LAPSUS$ Hunters threat group posted proof-of-exploit (PoC) code for CVE-2025-61882 to its Telegram channel on October 3, claiming that they had originated the exploit instead of CL0P, according to Cyble dark web researchers; that PoC release from the Scattered LAPSUS$ threat group preceded Oracle’s patch for CVE-2025-61882 by one day. Microsoft CVE-2025-33073 Vulnerability Discovered by 8 Researchers At the time of the June Patch Tuesday update, Microsoft gave credit for discovering CVE-2025-33073 to eight researchers: Keisuke Hirata of CrowdStrike, Wilfried Bécard of Synacktiv, Cameron Stish of GuidePoint Security, Ahamada M'Bamba of BNP Paribas, Stefan Walter and Daniel Isern of SySS GmbH, RedTeam Pentesting GmbH, and James Forshaw of Google Project Zero. Stish’s GuidePoint blog post on CVE-2025-33073 provides some interesting background on the vulnerability. According to Microsoft, an attacker who successfully exploited the vulnerability could gain SYSTEM privileges. When multiple attack vectors can be used, Microsoft assigns a score based on the scenario with the highest risk. In one scenario for the vulnerability, Microsoft said an attacker could convince a victim to connect to an attacker-controlled malicious application server, such as an SMB server. “Upon connecting, the malicious server could compromise the protocol,” Microsoft said. “To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate,” Microsoft said. “This could result in elevation of privilege.”
Analysis Summary
# Vulnerability: CISA KEV Additions (Microsoft, Oracle Mentions)
This summary focuses on the CVEs mentioned in connection with the CISA KEV catalog additions, specifically detailing the Microsoft and Oracle vulnerabilities referenced in the text snippet.
## CVE Details
* **CVE ID:** CVE-2025-61882 (Oracle)
* **CVE ID:** CVE-2025-33073 (Microsoft)
* **CVSS Score:** Not explicitly stated for either CVE in the provided text.
* **CWE:** Not specified.
## Affected Systems
* **Products:** Oracle (Specific product not detailed, linked to Oracle security alert), Microsoft (Specific product not detailed, likely Windows component related to SMB/Privilege Escalation).
* **Versions:** Not specified.
* **Configurations:** For CVE-2025-33073, exploitation requires an attacker to convince a victim to connect to a malicious application server (e.g., SMB server), which then coerces the victim machine to connect back using SMB for authentication.
## Vulnerability Description
**CVE-2025-61882 (Oracle):** No technical details provided other than the existence of a vendor patch and a preceding PoC release by the Scattered LAPSUS$ threat group.
**CVE-2025-33073 (Microsoft):** This vulnerability allows a successful exploitation to result in the attacker gaining **SYSTEM privileges**. The attack involves using a specially crafted malicious script to coerce a victim machine to connect back to an attacker-controlled SMB server, leading to an elevation of privilege upon authentication.
## Exploitation
* **Status (CVE-2025-61882):** Previously exploited in the wild (PoC release preceded vendor patch).
* **Status (CVE-2025-33073):** Mentioned in context of CISA additions, suggesting high likelihood of exploitation or critical risk, but active exploitation status is not specified in this excerpt.
* **Complexity (CVE-2025-33073):** Medium/High implied, as it requires social engineering (convincing a victim to connect) followed by protocol manipulation.
* **Attack Vector:** Likely Network/Adjacent, given the SMB/server interaction described for the Microsoft flaw.
## Impact
* **Confidentiality:** High (SYSTEM privilege escalation typically grants full access).
* **Integrity:** High (SYSTEM privilege escalation).
* **Availability:** Potentially High (SYSTEM compromise can lead to system disruption).
## Remediation
### Patches
* **CVE-2025-61882 (Oracle):** A patch is available (referenced via `oracle.com/security-alerts/alert-cve-2025-61882.html`).
* **CVE-2025-33073 (Microsoft):** Patched via the June Patch Tuesday update.
### Workarounds
* No specific workarounds are mentioned in the provided text.
## Detection
* **Indicators of Compromise:** Specific IoCs related to the Microsoft SMB coercion attack (e.g., unusual SMB connection initiations from user endpoints to external/suspicious SMB servers).
* **Detection Methods and Tools:** Network monitoring capable of inspecting SMB protocol negotiation and connection origins is suggested for CVE-2025-33073.
## References
* Oracle Security Alert for CVE-2025-61882: hxxps://www.oracle.com/security-alerts/alert-cve-2025-61882.html
* GuidePoint Blog Post on CVE-2025-33073: hxxps://www.guidepointsecurity.com/blog/the-birth-and-death-of-loopyticket/