CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

CISA Warns of Exploited Apple, Kentico, Microsoft Vulnerabilities

Leading to code execution, authentication bypass, and privilege escalation, the flaws were added to CISA’s KEV list. The post CISA Warns of Exploited Apple, Kentico, Microsoft Vulnerabilities appeared first on SecurityWeek.

CISA KEV

The US cybersecurity agency CISA on Monday warned that recently disclosed vulnerabilities in Windows SMB Client and Kentico Xperience CMS have been exploited in the wild.

The Windows flaw, tracked as CVE-2025-33073 (CVSS score of 8.8), was patched in June, when Microsoft warned that proof-of-concept (PoC) exploit code targeting it existed.

Exploitable over the network, the bug is described as an improper access control issue that could allow authenticated attackers to elevate their privileges to System.

“To exploit this vulnerability, an attacker could execute a specially crafted malicious script to coerce the victim machine to connect back to the attack system using SMB and authenticate. This could result in elevation of privilege,” Microsoft’s advisory reads.

On Monday, CISA added the Windows SMB defect to its Known Exploited Vulnerabilities (KEV) list along with two authentication bypass flaws in the Kentico Xperience CMS.

The Kentico bugs, tracked as CVE-2025-2746 and CVE-2025-2747 (CVSS score of 9.6), impact the CMS’s Staging Sync Server password handling and could allow attackers to control administrative objects.

The two vulnerabilities, WatchTowr explained in March, could be chained with an authenticated remote code execution defect to compromise Xperience CMS deployments.

CISA on Monday also warned that CVE-2022-48503 (CVSS score of 8.8), an arbitrary code execution issue in Apple products, has been abused in the wild.

Apple patched the security hole in July 2022 in the JavaScriptCore component of macOS Monterey 12.5, iOS 15.6, iPadOS 15.6, Safari 15.6, tvOS 15.6, and watchOS 8.7.

Kentico resolved the authentication bypass bugs in Xperience versions 13.0.173 and 13.0.178.

Per Binding Operational Directive (BOD) 22-01, now that the flaws were added to the KEV catalog, federal agencies have three weeks to identify vulnerable instances in their environments and apply the available fixes.

There do not appear to be any reports of these bugs’ exploitation prior to CISA’s warning.

Related: CISA Confirms Exploitation of Latest Oracle EBS Vulnerability

Related: Over 73,000 WatchGuard Firebox Devices Impacted by Recent Critical Flaw

Related: Gladinet Patches Exploited CentreStack Vulnerability

Related: Organizations Warned of Exploited Adobe AEM Forms Vulnerability

Latest News

CYBERNEWSMEDIAPublisher