CISA adds Oracle and other flaws to exploited vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency has added vulnerabilities from Oracle, Mozilla, Microsoft Windows, Linux Kernel, and Microsoft Internet Explorer to its Known Exploited Vulnerabilities catalog. This action requires federal agencies to address these flaws by October 27, 2025, to mitigate risks from ongoing exploits. Among the additions is a critical Oracle vulnerability recently patched after exploitation by ransomware actors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) catalog by including seven specific flaws affecting various software products. These additions encompass vulnerabilities in Oracle E-Business Suite, Mozilla products, Microsoft Windows, Linux Kernel, and Microsoft Internet Explorer.
The listed vulnerabilities are:
- CVE-2010-3765: Mozilla Multiple Products Remote Code Execution Vulnerability
- CVE-2010-3962: Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
- CVE-2011-3402: Microsoft Windows Remote Code Execution Vulnerability
- CVE-2013-3918: Microsoft Windows Out-of-Bounds Write Vulnerability
- CVE-2021-22555: Linux Kernel Heap Out-of-Bounds Write Vulnerability
- CVE-2021-43226: Microsoft Windows Privilege Escalation Vulnerability
- CVE-2025-61882: Oracle E-Business Suite Unspecified Vulnerability
A notable entry is CVE-2025-61882, a critical flaw with a CVSS score of 9.8 in Oracle E-Business Suite versions 12.2.3 through 12.2.14, specifically in the BI Publisher Integration component of Oracle Concurrent Processing. This week, Oracle issued an emergency patch for it. The vulnerability allows unauthenticated remote attackers to gain control via HTTP and has been exploited by the Cl0p ransomware group in data theft attacks. Experts describe it as easily exploitable.
Some added flaws are notably old, such as CVE-2013-3918, which dates back to 2013. This vulnerability was initially used by the advanced persistent threat group responsible for the 2009 Aurora attack. In 2015, Kaspersky reported that the nation-state actor known as the Equation group had captured and repurposed the exploit to target government users in Afghanistan.
Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies must remediate these KEV catalog vulnerabilities by the specified due dates to safeguard their networks. CISA has set October 27, 2025, as the deadline for federal agencies to fix them. Security experts urge private organizations to review the catalog and patch affected systems promptly to prevent similar exploitation.