The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog, incorporating critical flaws from major software providers including Oracle, Mozilla, Microsoft Windows, and the Linux Kernel. This proactive measure underscores the agency’s commitment to enhancing national cybersecurity by addressing vulnerabilities that have already been exploited in the wild.
Details of the Vulnerabilities
The newly added vulnerabilities are as follows:
- CVE-2010-3765: Mozilla Multiple Products Remote Code Execution Vulnerability
- CVE-2010-3962: Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
- CVE-2011-3402: Microsoft Windows Remote Code Execution Vulnerability
- CVE-2013-3918: Microsoft Windows Out-of-Bounds Write Vulnerability
- CVE-2021-22555: Linux Kernel Heap Out-of-Bounds Write Vulnerability
- CVE-2021-43226: Microsoft Windows Privilege Escalation Vulnerability
- CVE-2025-61882: Oracle E-Business Suite Unspecified Vulnerability
Among these, the vulnerability CVE-2025-61882 has garnered significant attention due to its critical nature, with a CVSS score of 9.8. Oracle has responded swiftly by releasing an emergency patch to mitigate this flaw, which was notably exploited by the Cl0p ransomware group in recent data theft incidents. This vulnerability allows unauthenticated remote attackers to gain control over the Oracle Concurrent Processing component, affecting versions 12.2.3 to 12.2.14 of the Oracle E-Business Suite. Experts caution that it can be easily exploited via HTTP.
Another noteworthy addition is CVE-2013-3918, a vulnerability that has a storied history. Initially leveraged by the APT group responsible for the 2009 Aurora attack, it was later repurposed by the EQUATION group to target government entities in Afghanistan, as revealed by Kaspersky in 2015. This highlights the enduring relevance of certain vulnerabilities in the ever-evolving landscape of cybersecurity threats.
In accordance with Binding Operational Directive (BOD) 22-01, which aims to reduce the significant risk posed by known exploited vulnerabilities, federal agencies are mandated to address these identified flaws by the deadline of October 27, 2025. This directive not only applies to government entities but also serves as a recommendation for private organizations to review the KEV catalog and fortify their infrastructure against potential exploits.
As the cybersecurity landscape continues to evolve, the importance of vigilance and timely action cannot be overstated. The recent updates to the CISA’s KEV catalog serve as a crucial reminder for both public and private sectors to prioritize cybersecurity measures and protect their networks from emerging threats.
