TL;DR

CISA’s Known Exploited Vulnerabilities (KEV) catalogue is not a normal CVE list. If a bug lands there, CISA has evidence attackers are already using it in the wild, which means Australian SMBs should treat it as a patch-now issue, not a patch-when-we-get-time issue.​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​

In the latest KEV highlights, the biggest risks for SMBs are remote code execution, authentication bypass, and privilege escalation flaws in Oracle, Microsoft, Kentico and Apple software. If your business runs exposed business apps, Windows file sharing, CMS platforms, or BYOD Apple devices, this is the week to verify versions and close gaps.

Why KEV matters more than a high CVSS score

CISA adds vulnerabilities to the KEV catalogue when there is credible evidence of real-world exploitation and a clear remediation path. That makes KEV more useful for a 10-50 person business than a giant vulnerability backlog sorted only by severity.​‌‌​​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌​‌​‌‌‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​​​​‌

‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​

For SMB owners, the plain-English version is simple: a KEV entry means criminals are not just talking about this bug, they are already using it. If your IT provider is still prioritising only “critical” CVSS scores while ignoring KEV status, your patching queue is upside down.

The operational benchmark is also clear. Under CISA’s Binding Operational Directive 22-01, federal agencies must patch by the listed due date. Private businesses in Australia are not legally bound by that directive, but the due dates are still a useful urgency marker.

This week’s KEV highlights SMBs should care about

1. Oracle E-Business Suite: CVE-2025-61882 and CVE-2025-61884

These two Oracle E-Business Suite flaws are the most dangerous items in the current KEV highlights.

  • CVE-2025-61882

    • Vendor: Oracle
    • Product: Oracle E-Business Suite
    • Type: Remote code execution
    • Exploitation status: In the wild
    • Patch deadline: 10 November 2025 in the KEV remediation cycle referenced by CISA

  • CVE-2025-61884

    • Vendor: Oracle
    • Product: Oracle E-Business Suite
    • Type: Server-side request forgery
    • Exploitation status: In the wild
    • Patch deadline: 10 November 2025

What this means in plain English: if an attacker can reach the vulnerable service, they may be able to run code on the server or make the server talk to internal systems it should never touch. For an SMB, that can mean finance systems, payroll data, supplier records, and customer information becoming reachable from one exposed weakness.

Even if Oracle EBS is more common in mid-market than small business, any Australian company using legacy ERP deserves an immediate review here.

2. Microsoft Windows SMB Client: CVE-2025-33073

  • Vendor: Microsoft
  • Product: Windows SMB Client
  • Type: Privilege escalation
  • Exploitation status: In the wild
  • Public PoC: Not clearly established in the research context, but KEV listing confirms active exploitation
  • Patch deadline: 10 November 2025

This one matters because SMB is still everywhere in small business networks. It is the plumbing behind file shares, mapped drives, and a lot of internal Windows traffic.

Plain English: if an attacker already gets a foothold on a machine, this bug can help them climb higher, potentially to SYSTEM-level access. That makes ransomware spread, credential theft, and lateral movement much easier. For a 20-person office with shared Windows devices, that is often the difference between “one compromised laptop” and “the whole office goes offline”.

If your business runs Microsoft 365, remember this still matters. Microsoft 365 does not replace the need to patch Windows endpoints connected to your users, files, and identity stack.

3. Kentico Xperience CMS: CVE-2025-2746 and CVE-2025-2747

  • Vendor: Kentico
  • Product: Kentico Xperience CMS
  • Type: Authentication bypass
  • Exploitation status: In the wild
  • Proof-of-concept status: Public technical analysis reported by security researchers
  • Patch deadline: 10 November 2025

These flaws affect the Staging Sync Server component and can allow attackers to bypass authentication.

Plain English: a criminal may be able to get admin-style access without a legitimate login. If your website or portal runs on Kentico, that can mean defaced pages, malicious redirects, injected scripts, fake admin accounts, or a quiet backdoor left behind for later.

This is a good reminder for WordPress and other CMS users too: internet-facing content systems are not “just marketing sites”. For many SMBs, the website is tied to forms, leads, customer trust, and brand credibility.

What about Apple, Google, NGINX, Cisco, Fortinet, Ivanti, VMware and WordPress?

Not every vendor in your stack will appear in every KEV update. This week’s strongest confirmed highlights in the research context were Oracle, Microsoft, Kentico and Apple, not a fresh batch of Microsoft 365, Google Workspace, NGINX, Cisco, Fortinet, Ivanti, VMware or WordPress entries.

That does not mean those platforms are safe to ignore. It means SMBs should use KEV as a live shortlist layered on top of regular patch hygiene:

  • Internet-facing firewalls and VPNs first: Fortinet, Cisco, Ivanti
  • Virtualisation and remote management second: VMware
  • Public websites and plugins next: WordPress, NGINX
  • User endpoints and file-sharing systems always: Microsoft Windows and Apple devices
  • Cloud identity stack continuously: Microsoft 365 and Google Workspace admin controls, MFA, and conditional access

If a product is exposed to the internet or holds identity, finance, customer, or operational data, KEV status should move it to the top of the queue.

What Australian SMBs should do this week

First, map the latest KEV entries against what you actually run. A vulnerability in software you do not use is noise. A medium-severity issue on an exposed business system you do use is a real problem.

Second, patch or isolate affected systems inside 48 hours wherever possible. If patching must wait, use temporary controls such as IP restrictions, disabling exposed components, tightening admin access, and reviewing logs for suspicious activity.

Third, ask your IT provider one direct question: “Show me which KEV-listed vulnerabilities affect us right now, and the due date for each.” If they cannot answer that quickly, your patching process is not mature enough.

FAQ

It is CISA’s list of vulnerabilities that are known to be exploited in the wild. It is more actionable than a generic CVE feed because it focuses on bugs attackers are already using successfully.

Not legally in the same way it applies to US federal agencies, but practically, yes. Australian SMBs face the same opportunistic attackers, ransomware crews, and bot-driven scanning campaigns.

No. Cloud email and collaboration platforms do not remove the need to patch laptops, servers, firewalls, websites, and on-premises infrastructure. Most real incidents still involve a mix of identity, endpoint, and network weaknesses.

For internet-facing systems, same day is ideal and 48 hours is a sensible upper limit for most SMBs. For internal-only systems, move fast anyway, especially if the bug enables privilege escalation or lateral movement.

Conclusion

The latest CISA KEV highlights reinforce a simple rule: patch based on active exploitation, not just scary scores. For Australian SMBs, that means treating KEV-listed Oracle, Microsoft and CMS vulnerabilities as urgent business risk, especially where systems are internet-facing or linked to customer, financial, or operational data.

If you want a clear view of what in your environment needs urgent patching first, visit consult.lil.business for a free cybersecurity assessment.

References

  1. CISA Known Exploited Vulnerabilities Catalog
  2. CISA Binding Operational Directive 22-01
  3. CVE Record: CVE-2025-61882
  4. CVE Record: CVE-2025-61884
  5. CVE Record: CVE-2025-33073
  6. CVE Record: CVE-2025-2746
  7. CVE Record: CVE-2025-2747
  8. Australian Cyber Security Centre: Patch Your Devices

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation