The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added fifteen newly verified exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog throughout October 2025, highlighting a surge in threat actor activity across both legacy systems and modern enterprise software. The expanded list includes flaws affecting high-use platforms like Microsoft Windows, Oracle E-Business Suite, Apple products, and widely deployed appliances like Juniper ScreenOS and Cisco ASA.
This wave of updates underscores the criticality of monitoring the KEV Catalog for timely vulnerability remediation—especially for federal agencies, which are mandated to patch listed vulnerabilities within defined time frames. Private sector organizations are also strongly advised to assess their exposure and implement risk mitigation measures.
CISA Adds 15 Vulnerabilities in October Based on Active Exploitation Evidence
CISA’s KEV Catalog additions throughout October 2025 span a wide range of CVEs, many of which enable common attack vectors like remote code execution (RCE), privilege escalation, and command injection. These exploit types continue to be favored by cybercriminals and advanced persistent threat (APT) groups targeting unpatched infrastructure.
October 2 Additions Target Weak Authentication and Code Execution Paths
On October 2, CISA added five vulnerabilities involving legacy authentication flaws and arbitrary code execution through common platforms.
- CVE-2014-6278 : Command injection vulnerability in GNU Bash, known for being part of the wider “Shellshock” vulnerability set.
- CVE-2015-7755 : Improper authentication mechanism in Juniper ScreenOS software.
- CVE-2017-1000353 : RCE vulnerability in Jenkins, which remains widely used in CI/CD pipelines.
- CVE-2025-4008 : Command injection in Smartbedded Meteobridge, a weather data gateway.
- CVE-2025-21043 : Memory corruption via out-of-bounds write in Samsung mobile devices.
These issues are indicative of the lingering risks associated with older infrastructure elements that continue to be integrated into live environments.
October 9 Confirmation Reinforces Earlier Additions
These same five vulnerabilities were reiterated in an October 9 update, further affirming CISA’s assessment based on intelligence correlating threat actor activity to these flaws.
October 14 Catalog Expansion Includes Rapid7 Velociraptor and Microsoft Windows
CISA addressed more contemporary platforms in its mid-October announcement by adding five newly exploited vulnerabilities:
- CVE-2016-7836 : SKYSEA Client View improper authentication vulnerability.
- CVE-2025-6264 : File permission misconfiguration in Rapid7 Velociraptor, an endpoint visibility framework.
- CVE-2025-24990 and CVE-2025-59230 : Microsoft Windows vulnerabilities linked to pointer dereferencing and access control failures, respectively.
- CVE-2025-47827 : Use of an expired cryptographic key in IGEL OS, a Linux-based thin client system.
These vulnerabilities demonstrate attackers’ preference for low-hanging fruit such as misconfigurations, forgotten cryptographic hygiene, and default setups.
October 20 Updates Focus on Enterprise Software and Zero-Day Style Issues
On October 20, the KEV Catalog was expanded with two sets of additions. The first focused on high-risk vulnerabilities in software from Apple, Oracle, Kentico, and Microsoft:
- CVE-2022-48503 : Unspecified Apple vulnerability with an 8.8 CVSS score, assumed to allow arbitrary code execution via crafted web content.
- CVE-2025-2746 and CVE-2025-2747 : Separate authentication bypass issues in Kentico Xperience Staging Sync Server using insecure password types.
- CVE-2025-33073 : Microsoft SMB Client improper access control.
- CVE-2025-61884 : Server-side request forgery (SSRF) vulnerability in Oracle E-Business Suite.
All five are now confirmed to be in active use by attackers. Federal agencies have been given a patch deadline of November 10, 2025.
Another October 20 bulletin added the following:
- CVE-2014-2120 : Cross-site scripting (XSS) in Cisco ASA appliances.
- CVE-2021-41277 : Local file inclusion vulnerability in Metabase’s GeoJSON API.
- CVE-2024-43451 : NTLMv2 credential hash leakage in Microsoft Windows.
- CVE-2024-49039 : Privilege escalation via Task Scheduler in Windows, also added in the same advisory.
- CVE-2021-26086 : Path traversal vulnerability in Atlassian Jira Server and Data Center installations.
These vulnerabilities enable horizontal and vertical privilege movement across enterprise infrastructure and are already documented to be exploited in the wild.
Additional High-Severity Vulnerabilities Add Weight to KEV Threat Profile
Earlier in the year, CISA had also added CVE-2024-48248 , an absolute path traversal issue affecting NAKIVO Backup & Replication versions prior to 10.11.3.86570. The flaw allows unauthenticated attackers to read sensitive system files, like `/etc/shadow`.
This entry, although predating the October disclosures, continues to hold relevance given the widespread deployment of vulnerable versions in data protection environments.
Defensive Implications for Federal and Private Sector Organizations
With each addition to the KEV Catalog backed by verified evidence of exploitation, CISA mandates remediation timelines for federal systems and strongly urges private sector counterparts to take immediate action. Key mitigation steps include:
- Prioritizing patch deployment for all software affected by listed CVEs.
- Implementing compensating controls (e.g., disabling vulnerable services, adding firewall rules) if immediate patching is not possible.
- Monitoring for indicators of compromise (IOCs) associated with these vulnerabilities.
Given the criticality of many issues—like CVE-2025-61884 in Oracle E-Business Suite (SSRF) and CVE-2025-33073 in SMB Client (improper access control)—CISOs and SOC teams need to treat KEV-listed flaws as live threats, not theoretical risks.
“These vulnerabilities represent the ones most frequently used in adversarial campaigns,” CISA warned. “Reducing exposure to these flaws significantly enhances an organization’s security posture.”
As KEV Catalog entries continue to grow, enterprises should adopt continuous vulnerability intelligence programs that ingest CISA advisories and automate remediation workflows wherever possible. The ever-expanding variety of exploited vulnerabilities—from web application flaws and OS bugs to outdated cryptographic keys—makes it clear: no class of software is being overlooked by today’s attackers.
