Introduction
Attackers can seize control of Oracle E-Business Suite environments without authentication, leveraging a critical flaw in the Concurrent Processing (BI Publisher Integration) component. This vulnerability, tracked as CVE-2025-61882, exposes thousands of enterprises to remote compromise via a single HTTP request.
About Oracle and E-Business Suite: Oracle is one of the world's largest enterprise software vendors, with Oracle E-Business Suite (EBS) serving as a backbone for ERP, financials, supply chain, and HR in thousands of organizations globally. EBS is a highly integrated suite, and its security posture directly impacts business operations across industries.
Technical Information
CVE-2025-61882 is a critical vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing within Oracle E-Business Suite. The flaw allows unauthenticated attackers to send specially crafted HTTP requests to the affected component. Successful exploitation results in full system compromise, including the ability to access sensitive data, modify configurations, and disrupt operations.
- Attack vector: Network (HTTP)
- Attack complexity: Low
- Privileges required: None
- User interaction: None
- Scope: Unchanged
- Impact: High (Confidentiality, Integrity, Availability)
- CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The vulnerability is exposed via HTTP endpoints associated with the BI Publisher Integration. No authentication is required, and there is no need for user interaction. The flaw is easily exploitable, making it suitable for automated attacks. No public code snippets or proof of concept details are available at this time.
Affected Systems and Versions
- Product: Oracle E-Business Suite (Concurrent Processing, BI Publisher Integration component)
- Affected versions: 12.2.3 through 12.2.14
- Vulnerable configurations: Any Oracle EBS deployment exposing the Concurrent Processing HTTP endpoints is at risk.
Vendor Security History
Oracle E-Business Suite has a history of critical remotely exploitable vulnerabilities. The July 2025 Critical Patch Update addressed nine EBS vulnerabilities, three of which were critical and exploitable without authentication. Oracle has issued out-of-cycle security alerts for severe issues, including CVE-2025-61882, reflecting the urgency of real-world exploitation risk. Oracle's patch response for critical EBS flaws is generally prompt, but complex customer environments often delay patch adoption.
References
- Oracle Security Alert for CVE-2025-61882
- Official CVE Entry
- Infosecurity Magazine: Hackers Target Oracle EBS Flaws
- SecurityWeek: Cybercriminals Claim Theft of Data from Oracle E-Business Suite Customers
- Help Net Security: Oracle EBS Data Theft Extortion
- Arctic Wolf: Alleged Cl0p Extortion Emails Linked to July 2025 Oracle E-Business Suite Vulnerabilities