CISA adds KEV flaws; Oracle emergency patch
CISA put five new critical bugs onto its Known Exploited Vulnerabilities catalog with an April 3 mitigation deadline, and Oracle pushed an out‑of‑band patch for a critical RCE in Identity Manager/Web Services Manager (CVE-2026-21992). Both advisories raise urgent patching and compliance automation needs for federated identity middleware in hybrid AWS/Azure and classified environments. (thehackernews.com) (cybersecuritynews.com)
CISA’s KEV entry names CVE‑2025‑31277 (Apple/WebKit–JavaScriptCore), CVE‑2025‑32432 (Craft CMS code‑injection), CVE‑2025‑43510 and CVE‑2025‑43520 (Apple memory/kernel issues), and CVE‑2025‑54068 (Laravel Livewire). (cisa.gov) CVE‑2025‑54068 enables unauthenticated remote command execution in Livewire v3 up to and including 3.6.3 by abusing component‑property hydration, with public technical writeups and advisories documenting the exploit vector. (sentinelone.com) CVE‑2025‑32432 targets Craft CMS’s asset‑transformation endpoint (actionGenerateTransform) to perform array/object injection via Yii2 dependency‑injection flows, allowing arbitrary PHP object instantiation and full‑site compromise in exploit proofs‑of‑concept. (cvereports.com) Apple’s named CVEs include a JavaScriptCore memory‑corruption bug (CVE‑2025‑31277) and kernel memory corruption/buffer‑overflow issues tied to iOS, macOS and Safari updates listed in NVD and linked to recent exploit chains used by the DarkSword iOS exploit kit. (nvd.nist.gov) Oracle issued an out‑of‑band Security Alert for CVE‑2026‑21992 covering Oracle Identity Manager and Oracle Web Services Manager, assigned CVSSv3 9.8 and described as remotely exploitable without authentication; Oracle lists affected supported releases 12.2.1.4.0 and 14.1.2.1.0. (tenable.com) Oracle’s Security Alert mechanism was used because the flaw could not wait for the quarterly CPU, and Oracle states Security Alert patches are provided only for product versions under Premier or Extended Support, implying unsupported instances may require upgrades rather than a Security Alert patch. (tenable.com) CISA frames the KEV catalog as a “living list” governed by BOD 22‑01, which requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by the catalog due dates as part of federal vulnerability management. (cisa.gov) Security analysts flag CVE‑2026‑21992 alongside a November‑2025 Identity Manager RCE (CVE‑2025‑61757) that was exploited in the wild and added to KEV, underscoring repeat targeting of Fusion Middleware REST/WebServices components and the operational reason for Oracle’s emergency patching. (tenable.com)
