Ongoing active exploitation of two security vulnerabilities impacting Oracle's E-Business suite, tracked as CVE-2022-21587, and SugarCRM offerings, tracked as CVE-2023-22952, have prompted their inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog, reports The Record, a news site by cybersecurity firm Recorded Future. Federal civilian agencies have been urged to address both flaws before Feb. 23. Patches for the critical Oracle flaw have already been released in October, establishing the need for urgent patching of vulnerable instances. On the other hand, threat actors have already leveraged an exploit for the SugarCRM vulnerability in cryptomining malware deployment, according to a security expert. However, SugarCRM did note that none of its Sugar Sell, Enterprise, Serve, Professional, and Ultimate software solutions have been impacted by attacks. Both flaws represent widely varying market segments and the ever-expanding reach of cybercriminals and nation-state actors, said Netenrich Principal Threat Hunter John Bambenek. "This highlights that all market segments attract APT and nation-state risks that should enforce the need to make sure updates are applied as quickly as they come out," Bambenek added.