All Researches
All Threat Alerts
CVE-202561882
October 6, 2025
·
0
Minutes Read

Oracle Security Alert Advisory

Threat Research
October 6, 2025
·
0
Minutes Read

Oracle Security Alert Advisory

Threat Research
October 6, 2025
·
0
Minutes Read
Kudelski Security Team
Find out more
table of contents
Share on
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Summary

Oracle has issued a critical security alert for a zero‑day vulnerability (CVE-2025-61882) inOracle Concurrent Processing (part of Oracle E‑Business Suite, component: BIPublisher Integration). The vulnerability affects EBS versions 12.2.3 through12.2.14 and is actively being exploited in the wild. Exploitation may permit unauthenticated remote attackers to gain elevated privileges and potentially execute arbitrary code on vulnerable systems. Systems exposed to the internet, or reachable from untrusted networks, are at highest immediate risk.

Affected Systems

  • Oracle E‑Business Suite     (EBS) from version 12.2.3 to 12.2.14
  • Product: Oracle Concurrent     Processing
  • Component: BI Publisher     Integration

Technical Details

Vulnerability class : A vulnerability in the BI Publisher Integration can be abused remotely. Oracle describes CVE-2025-61882 as a critical issue; available reports and rapid public analysis such as SANS/ISC diary, indicate exploit code and targeting patterns are circulating.

Impact:

Confidentiality: Access to sensitive reports and data (financial reports,HR/exported datasets).

Integrity:  Tampering of report content, job definitions, templates, or outputs.

Availability : Disruption or manipulation of scheduled business-critical jobs.

Remote code execution & privilege escalation:  Public reporting indicates unauthenticated remote exploitability with potential to elevate privileges and execute arbitrary code.

Attack surface:

Web-facing EBS affected component.

Exploit activity:

A quick analyses (ISC/SANS) have discussed exploit scripts (alleged exploit script “exp.py” ) and how they interact with EBS components. The analyses used a Python server to emulate the attacker host and show both the payload delivery paths and the command execution technique, indicating proof‑of‑concept exploit code and active targeting patterns are circulating.

They found that the script:

  • Probes a target’s BI Publisher endpoints (starts with a GET /OA_HTML/runforms.jsp to determine host)
  • Retrieves a CSRF token via a POST /OA_HTML/JavaScriptServlet request
  • Then posts a large URL‑encoded payload to /OA_HTML/configurator/UiServlet which contains an embedded XML return_url pointing at an attacker‑controlled host (the diary shows the script constructs a return_url referencing http://<evilhost>:7201/OA_HTML/help/../ieshostedsurvey.jsp
  • Leverages an SSRF / server‑side processing path that causes the target to fetch and process an attacker‑supplied XSLT.     That XSLT contains a Base64‑encoded script which, when decoded and evaluated server‑side, invokes Java runtime calls     to execute arbitrary OS commands.

The analysis also highlights distinctive indicators in the exploit:

a specific browser user‑agent string used by the script, the use of unusual HTTP version 1.2 in the payload (potential filter‑evasion), CSRF‑related headers (CSRF‑XHR: YES, FETCH‑CSRF‑TOKEN: 1), and I/O patterns (Content-Length: 0, Content-Type: application/x-www-form-urlencoded).

Mitigation & Recommendations 

Patch immediately:

  • Oracle has released a patch bundle specific to CVE-2025-61882.
  • Download and apply it via My Oracle Support, referencing the latest security     alert.

Hunt for indicators of compromise (IoCs):

Table description: the first two IOCs are IP addresses, the third is a command, and the last three reference files associated with the Oracle exploit script, respectively named:

oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters(.zip,/exp.py, /server.py)

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed.

Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Tenable IDs: CVE-2025-61882

References

Oracle Security Alert — CVE-2025-61882 (official):

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html#AppendixEBS

Cybersecurity News — Oracle E-Business Suite 0-day vulnerability:

https://cybersecuritynews.com/oracle-e-business-suite-0-day-vulnerability/

SANS/ISC Diary — Quick analysis of possible Oracle E-Business Suiteexploit script (CVE-2025-61882):

https://isc.sans.edu/diary/Quick%20and%20Dirty%20Analysis%20of%20Possible%20Oracle%20E-Business%20Suite%20Exploit%20Script%20%28CVE-2025-61882%29/32346

Related Post
September 26, 2025
Security Advisory:
September 26, 2025
Kudelski Security Team

Cisco ASA WebVPN & HTTP Zero-Day Advisory

CVE-2025-20333
CVE-2025-20362
CVE-2025-20363
August 6, 2025
Security Advisory:
August 6, 2025
Kudelski Security Team

A Likely Zero-Day Vulnerability in SonicWall SSL-VPN Exploited by Akira Ransomware Group

June 27, 2025
Security Advisory:
June 27, 2025
Kudelski Security Team

Lunar Spider – Lotus V2 Loader Campaign Using Fake CAPTCHA Delivery and DLL Sideloading