The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including critical flaws in Oracle E-Business Suite (EBS) and Microsoft Windows SMB Client. Among these, CVE-2025-61884 and CVE-2025-61882 in Oracle EBS have been actively exploited in the wild, with attackers leveraging these vulnerabilities to gain unauthorized access and execute arbitrary code on affected systems. The exploitation of these flaws has led to significant breaches, including confirmed incidents at Harvard University and Envoy Air, the latter being tied to the Clop ransomware gang. Security researchers have highlighted that the Oracle EBS vulnerabilities are remotely exploitable without authentication, making them particularly dangerous for organizations with exposed instances. The vulnerabilities have enabled attackers to obtain interactive access to critical business applications, exfiltrate sensitive data, and potentially deploy ransomware. The attacks have been facilitated by public proof-of-concept exploits that were available before Oracle released emergency patches, leaving a window of opportunity for threat actors. The widespread use of Oracle EBS across sectors such as finance, healthcare, education, and government has amplified the impact, with many organizations potentially unaware of compromises that occurred during the zero-day period. CISA’s inclusion of these vulnerabilities in the KEV Catalog mandates that Federal Civilian Executive Branch (FCEB) agencies remediate the flaws by a specified deadline, but the agency strongly urges all organizations to prioritize patching. The incidents have also exposed issues with vendor guidance, as conflicting deployment recommendations from Oracle left some enterprises unnecessarily exposed to attack. The Microsoft Windows SMB Client vulnerability (CVE-2025-33073), also added to the KEV Catalog, allows privilege escalation and is being actively exploited, affecting all supported Windows versions. The addition of these vulnerabilities to the KEV Catalog underscores the ongoing risk posed by unpatched systems and the need for robust vulnerability management practices. Security experts warn that the scalable nature of these attacks, particularly those targeting shared enterprise platforms, highlights the growing threat of supply chain compromises. The events have prompted calls for improved security hygiene, including restricting internet exposure of critical applications and ensuring timely application of security patches. The breaches and subsequent disclosures serve as a stark reminder of the evolving tactics of ransomware groups and the persistent threat posed by zero-day vulnerabilities in widely used enterprise software.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
By Oct. 24, security researchers had published deeper technical analysis of CVE-2025-61882, including exploit chains involving SyncServlet and UiServlet abuse, post-compromise web shell deployment, and extortion-driven data theft. Some activity was attributed to the financially motivated group GRACEFUL SPIDER, while other reporting linked the campaign to Clop-associated operations.
CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalog on Oct. 20, including the Oracle E-Business Suite flaw and a high-severity Windows SMB vulnerability. The action reflected confirmed in-the-wild exploitation and triggered federal remediation requirements under BOD 22-01.
Envoy Air confirmed on Oct. 17 that it was compromised in the Oracle E-Business Suite zero-day attacks. Researchers linked the activity to the Clop ransomware ecosystem, making Envoy Air the second publicly disclosed victim in the campaign.
Harvard University publicly disclosed on Oct. 13 that it had been affected in the Oracle E-Business Suite zero-day incident. This was the first public victim disclosure tied to the broader campaign.
Oracle issued an emergency fix for the Oracle E-Business Suite vulnerability later tracked as CVE-2025-61882. Reporting indicates public proof-of-concept exploit code appeared shortly before Oracle's patch release.
Researchers reported suspicious activity and likely exploitation of Oracle E-Business Suite CVE-2025-61882 before Oracle publicly disclosed the issue. The flaw was described as a low-complexity, unauthenticated remote code execution bug that may have been exploitable for nearly three months before a patch became available.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
centripetal.ai
Open sourcethecyberthrone.in
Open sourcehackread.com
Open sourcethehackernews.com
Open sourcecisa.gov
Open sourcedarkreading.com
Open sourcebleepingcomputer.com
Open sourcescworld.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.