Today’s Topics:

• CISA Flags Five New Actively Exploited Vulnerabilities Across Oracle, Microsoft, and More
• Microsoft Halts Rhysida Ransomware Campaign Exploiting Azure Certificates
• How can Netizen help?

CISA Flags Five New Actively Exploited Vulnerabilities Across Oracle, Microsoft, and More

The Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that attackers are targeting unpatched systems from Oracle, Microsoft, and other vendors.

One of the most significant flaws is CVE-2025-61884 (CVSS 7.5), a server-side request forgery (SSRF) issue found in the Runtime component of Oracle E-Business Suite (EBS). The bug allows unauthenticated remote attackers to access sensitive data through crafted network requests. It follows the discovery of another serious Oracle EBS vulnerability, CVE-2025-61882 (CVSS 9.8), which enabled arbitrary code execution on exposed systems. Both flaws have been linked to real-world exploitation campaigns impacting dozens of organizations, with some activity tentatively associated with Cl0p-related extortion groups.

CISA also added four other vulnerabilities to the catalog. CVE-2025-33073 (CVSS 8.8) affects the Microsoft Windows SMB Client and allows privilege escalation through improper access control. Microsoft addressed the flaw in its June 2025 patch release.

Two vulnerabilities in Kentico Xperience CMS, CVE-2025-2746 and CVE-2025-2747 (both CVSS 9.8), involve authentication bypasses in the Staging Sync Server component that mishandled password validation for certain configurations. These issues were corrected in updates released in March 2025.

The final entry, CVE-2022-48503 (CVSS 8.8), is an older flaw in Apple’s JavaScriptCore engine that could lead to arbitrary code execution through malicious web content. Apple fixed it in 2022, but it has resurfaced in active exploitation reports.

CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by November 10, 2025, to safeguard networks against known threats. Although the agency confirmed exploitation for the Oracle EBS bug, it noted that details of attacks involving the other four remain limited.

Microsoft Halts Rhysida Ransomware Campaign Exploiting Azure Certificates

Microsoft has shut down an ongoing Rhysida ransomware operation that relied on fake Microsoft Teams installers digitally signed with stolen or misused Azure certificates. The company confirmed that it has revoked more than 200 compromised code-signing certificates that attackers used to make malicious files appear legitimate.

In a post on X, Microsoft Threat Intelligence reported that a cybercriminal group known as Vanilla Tempest, also tracked as Vice Society, was behind the campaign. The attackers distributed fraudulent Teams setup files signed through Azure’s Trusted Signing service to deliver a custom backdoor called Oyster, which later deployed the Rhysida ransomware payload.

Vanilla Tempest is known for targeting schools, hospitals, and other public sector organizations. In this campaign, the group used domains resembling legitimate Microsoft services, such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top, to trick users into downloading malicious installers. These fake sites were reportedly promoted using SEO poisoning, pushing them higher in search results for unsuspecting victims.

When users executed the bogus MSTeamsSetup.exe, it ran a downloader instead of the real collaboration tool. This downloader installed the Oyster backdoor, which Microsoft said has been in circulation since at least June. While Vanilla Tempest has used multiple ransomware strains in the past, including BlackCat (ALPHV), the group appears to have shifted its focus primarily to Rhysida.

The attackers didn’t rely solely on Microsoft’s infrastructure. They also obtained code-signing certificates from SSL.com, DigiCert, and GlobalSign to authenticate their fake binaries. Signed malware poses a particular challenge for defenders, since many security systems inherently trust executables with valid digital signatures.

It remains unclear how the threat actors gained access to Azure’s Trusted Signing service. The platform allows verified developers with a Microsoft Entra tenant ID and an Azure subscription to sign their applications, with current availability limited to U.S. and European regions. Documentation for the service notes that only organizations with at least three years of verifiable operational history are eligible.

In response to the campaign, Microsoft revoked all known certificates linked to the malicious activity. The company declined to provide further comment beyond its public statement.

DigiCert and GlobalSign, both named in Microsoft’s report, said they had not been asked to revoke any certificates related to the incident but were monitoring for misuse. GlobalSign CISO Arvid Vermote noted that the company investigates all reports of certificate abuse and revokes compromised credentials when verified, while DigiCert stated that it would act immediately upon receipt of credible intelligence.

The incident highlights how attackers continue to exploit digital trust mechanisms to bypass enterprise defenses. Code-signing certificates, once intended to guarantee software authenticity, are increasingly being repurposed as tools for deception, allowing malicious software to masquerade as legitimate applications until its true purpose becomes clear.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.