How ZeroPath Works
Back to Blog

Oracle E-Business Suite CVE-2025-53072: Brief Summary of Critical Unauthenticated RCE in Marketing Administration

This post provides a brief summary of CVE-2025-53072, a critical unauthenticated remote code execution vulnerability in Oracle E-Business Suite Marketing Administration (versions 12.2.3 to 12.2.14). It covers affected versions, technical details from official advisories, and links to primary sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-21

Oracle E-Business Suite CVE-2025-53072: Brief Summary of Critical Unauthenticated RCE in Marketing Administration
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single unauthenticated HTTP request can lead to a complete compromise of Oracle E-Business Suite Marketing Administration in affected deployments. Organizations running Oracle EBS for critical business operations face a risk of full system takeover if this flaw is left unpatched.

About Oracle and Oracle E-Business Suite: Oracle is one of the world's largest enterprise software vendors, serving thousands of organizations globally. Oracle E-Business Suite (EBS) is a flagship ERP platform used for financials, supply chain, CRM, and more. Its modular architecture and deep integration into business processes make it a high-value target for attackers and a cornerstone of enterprise IT.

Technical Information

CVE-2025-53072 is a critical vulnerability in the Marketing Administration component of Oracle E-Business Suite, affecting versions 12.2.3 through 12.2.14. The flaw is accessible via HTTP and can be exploited remotely without authentication or user interaction. According to Oracle's advisory, successful exploitation enables a remote attacker to take full control of the Oracle Marketing system. The vulnerability is classified as low complexity (no special conditions required), with a CVSS 3.1 base score of 9.8 and the following vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

This means:

  • Attack Vector: Network (HTTP)
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

No further technical details, vulnerable code, or exploit specifics have been disclosed by Oracle or in public sources as of the October 2025 Critical Patch Update. There is no public proof of concept or exploit code available.

Affected Systems and Versions

  • Oracle E-Business Suite Marketing Administration component
  • Affected versions: 12.2.3 through 12.2.14
  • All supported configurations of these versions are vulnerable

Vendor Security History

Oracle E-Business Suite has been the subject of multiple critical vulnerabilities in recent years, including:

  • CVE-2025-61882: Pre-auth RCE exploited in the wild
  • CVE-2025-61884: Pre-auth RCE exploited in the wild

Oracle issues quarterly Critical Patch Updates and has responded to recent EBS threats with timely advisories and patches. However, the complexity and widespread use of EBS mean that delayed patching is a recurring risk factor for customers.

References

Detect & fix
what others miss

Get startedBook a demo