On October 20, 2025, the United States Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog with five new vulnerabilities, citing evidence of active exploitation.
Our security intelligence team has previously analyzed two of the new entries: CVE-2025-61884 affecting Oracle E-Business Suite and CVE-2025-33073 in the Microsoft Windows SMB (Server Message Block) client. Mitigations for these vulnerabilities can be found in their associated posts.
The other three entries include:
CVE-2022-48503 is a WebKit flaw that was addressed by Apple in July 2022 with updates to iOS 15.6, iPadOS 15.6, macOS Monterey 12.5, watchOS 8.7, tvOS 15.6, and Safari 15.6. The issue is in the JavaScriptCore component of WebKit, the browser engine used by Safari and embedded in Apple platforms.
The flaw also affects WebKit derivatives, WebKitGTK and WPE WebKit, which are used in Linux-based systems and embedded environments. These platforms patched the issue in version 2.38.0, released in September 2022.
CVE-2022-48503 arises from insufficient bounds checking when processing web content, which could lead to malicious code execution. Full compromise of the device through drive-by attacks, particularly on unpatched Apple devices or Linux systems using outdated WebKit builds, could be possible.
The vulnerability was rated with a Common Vulnerability Scoring System (CVSS) score of 8.8.
CVE-2025-2746 and CVE-2025-2747 affect Kentico Xperience, a widely used digital experience platform and content management system (CMS). The flaws reside in the Staging Sync Server, which facilitates content synchronization between environments. Unauthenticated users can send malicious requests to the sync endpoint and gain administrative control over the CMS. These vulnerabilities are remotely exploitable and do not require prior access or credentials.
Exploitation could lead to full compromise of the CMS, including unauthorized content changes, privilege escalation, and lateral movement within the hosting environment. Remote code execution and takeover of production environments could be possible if staging sync is exposed to the internet. Both carry a CVSS score of 9.8.
For mitigation, organizations are encouraged to prioritize remediation of the noted vulnerabilities.
Apple devices, such as iOS 15.6, iPadOS 15.6, macOS Monterey 12.5, and Safari 15.6, received patches for CVE-2022-48503 in July 2022, but Apple has since moved on to newer OS generations. Devices such as iPhone 6s and iPhone SE (1st gen) are discontinued and considered end-of-life, meaning they no longer receive security updates. Continued use of these devices introduces persistent risk, especially from web-based attacks exploiting unpatched WebKit vulnerabilities.
For Linux environments, organizations are encouraged to audit systems using WebKitGTK or WPE WebKit, particularly those running versions prior to 2.38.0. These engines are embedded in GNOME Web (Epiphany), custom GTK-based browsers, and various embedded platforms including smart TVs and industrial interfaces. Distributions like Debian, Ubuntu, and Fedora may still package outdated builds, and applications using GTK bindings in Python, C, or C++ may inherit the vulnerability if not explicitly updated.
Where patching is not feasible, isolating affected applications from untrusted web content and disabling embedded web views can reduce exposure.
Organizations using Kentico Xperience 13 are advised to apply updates to version 13.0.179 or later. Where patching is delayed, disabling the Staging Sync Server or restricting access to trusted IP ranges may reduce exposure. Reviewing authentication configurations and removing unsupported password types can further mitigate risk.