CISA adds five known exploited vulnerabilities to catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has incorporated five newly identified vulnerabilities, confirmed to be actively exploited, into its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities affect products and services from multiple vendors and pose risks related to authentication bypass and server-side request forgery.

The vulnerabilities include CVE-2022-48503, which involves unspecified security issues across several Apple products. Two vulnerabilities in Kentico Xperience Staging Sync server are identified: CVE-2025-2746, a digest password authentication bypass, and CVE-2025-2747, involving bypass of authentication due to missing password type. Microsoft Windows Server Message Block (SMB) client faces an improper access control vulnerability tracked as CVE-2025-33073. Additionally, Oracle E-Business Suite is affected by a server-side request forgery issue, recorded as CVE-2025-61884.

These security flaws have been actively exploited by malicious actors and represent ongoing risks to the federal ecosystem. The presence of these vulnerabilities contributes to the catalogue of threats requiring remediation to maintain network security.

CISA references Binding Operational Directive (BOD) 22-01, which mandates federal civilian executive branch agencies to address vulnerabilities listed in the KEV Catalog by specified deadlines to mitigate active exploitation risks. This directive establishes the KEV Catalog as a dynamic resource containing Common Vulnerabilities and Exposures (CVE) with confirmed threats.

While BOD 22-01 applies specifically to federal agencies, CISA encourages all organizations to align their vulnerability management practices by prioritizing remediation of vulnerabilities listed in the KEV Catalog. The agency commits to ongoing updates to the catalog as new qualifying vulnerabilities are identified according to established criteria.