Oracle has disclosed two critical vulnerabilities in its E-Business Suite’s Marketing product that could hand full control to remote attackers.
Dubbed CVE-2025-53072 and CVE-2025-62481, these flaws affect the Marketing Administration component and carry a perfect storm CVSS score of 9.8, marking them as among the most severe threats disclosed this year.
Organizations relying on Oracle’s suite for customer relationship management and marketing automation now face urgent patching needs to avert potential data breaches and system takeovers.
The vulnerabilities stem from weaknesses in how the Marketing Administration handles HTTP requests. An unauthenticated attacker needs only network access, no special privileges, or user interaction to exploit them.
Once triggered, the flaws enable full compromise of the Oracle Marketing module, granting attackers high-level access to confidentiality, integrity, and availability.
This could mean stealing sensitive customer data, altering marketing campaigns, or disrupting operations entirely.
In today’s threat landscape, where ransomware groups and nation-state actors hunt for easy entry points, such exposures in widely used ERP systems like Oracle E-Business Suite amplify the danger.
Details Of The Flaws
Both CVEs target versions 12.2.3 through 12.2.14 of Oracle Marketing, with no mitigations in place beyond applying the latest security patches.
Oracle’s advisory highlights that the issues remain unchanged from initial assessments, underscoring their straightforward exploitability.
The CVSS 3.1 vector for each (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) breaks down to network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and high impacts across all categories.
| CVE ID | Component | Attack Vector | Requires Auth? | CVSS 3.1 Score | Attack Complexity | Privileges Required | User Interaction | Scope | Confidentiality Impact | Integrity Impact | Availability Impact | Affected Versions | 
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-53072 | Marketing Administration | HTTP (Network) | No | 9.8 | Low | None | None | Unchanged | High | High | High | 12.2.3-12.2.14 | 
| CVE-2025-62481 | Marketing Administration | HTTP (Network) | No | 9.8 | Low | None | None | Unchanged | High | High | High | 12.2.3-12.2.14 | 
These entries reveal a pattern: identical scoring and vectors suggest related coding errors, possibly in input validation or session handling, though Oracle has not released specifics to avoid aiding attackers.
Mitigations
The disclosure arrives amid a surge in supply chain attacks targeting enterprise tools, echoing recent breaches at companies like Cisco and Microsoft.
For businesses in retail, finance, or e-commerce where Oracle E-Business Suite powers core marketing functions, these vulnerabilities could expose terabytes of customer profiles to theft or manipulation, leading to regulatory fines under GDPR or CCPA.
Oracle urges immediate patching via its Critical Patch Update for October 2025, available on My Oracle Support.
In the interim, experts recommend network segmentation, web application firewalls tuned for HTTP anomalies, and monitoring for unusual Marketing Administration traffic.
Cybersecurity firms like Mandiant warn that exploit code may surface soon on dark web forums, given the high incentive.
As enterprises scramble, this incident highlights the need for proactive vulnerability management in legacy systems. With no evidence of active exploitation yet, the window for defense remains open but it’s narrowing fast.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
