Oracle Security Alert Advisory
Oracle Security Alert Advisory
Summary
Oracle has issued a critical security alert for a zero‑day vulnerability (CVE-2025-61882) inOracle Concurrent Processing (part of Oracle E‑Business Suite, component: BIPublisher Integration). The vulnerability affects EBS versions 12.2.3 through12.2.14 and is actively being exploited in the wild. Exploitation may permit unauthenticated remote attackers to gain elevated privileges and potentially execute arbitrary code on vulnerable systems. Systems exposed to the internet, or reachable from untrusted networks, are at highest immediate risk.
Affected Systems
- Oracle E‑Business Suite (EBS) from version 12.2.3 to 12.2.14
- Product: Oracle Concurrent Processing
- Component: BI Publisher Integration
Technical Details
Vulnerability class : A vulnerability in the BI Publisher Integration can be abused remotely. Oracle describes CVE-2025-61882 as a critical issue; available reports and rapid public analysis such as SANS/ISC diary, indicate exploit code and targeting patterns are circulating.
Impact:
Confidentiality: Access to sensitive reports and data (financial reports,HR/exported datasets).
Integrity: Tampering of report content, job definitions, templates, or outputs.
Availability : Disruption or manipulation of scheduled business-critical jobs.
Remote code execution & privilege escalation: Public reporting indicates unauthenticated remote exploitability with potential to elevate privileges and execute arbitrary code.
Attack surface:
Web-facing EBS affected component.
Exploit activity:
A quick analyses (ISC/SANS) have discussed exploit scripts (alleged exploit script “exp.py” ) and how they interact with EBS components. The analyses used a Python server to emulate the attacker host and show both the payload delivery paths and the command execution technique, indicating proof‑of‑concept exploit code and active targeting patterns are circulating.
They found that the script:
- Probes a target’s BI Publisher endpoints (starts with a GET /OA_HTML/runforms.jsp to determine host)
- Retrieves a CSRF token via a POST /OA_HTML/JavaScriptServlet request
- Then posts a large URL‑encoded payload to /OA_HTML/configurator/UiServlet which contains an embedded XML return_url pointing at an attacker‑controlled host (the diary shows the script constructs a return_url referencing http://<evilhost>:7201/OA_HTML/help/../ieshostedsurvey.jsp
- Leverages an SSRF / server‑side processing path that causes the target to fetch and process an attacker‑supplied XSLT. That XSLT contains a Base64‑encoded script which, when decoded and evaluated server‑side, invokes Java runtime calls to execute arbitrary OS commands.
The analysis also highlights distinctive indicators in the exploit:
a specific browser user‑agent string used by the script, the use of unusual HTTP version 1.2 in the payload (potential filter‑evasion), CSRF‑related headers (CSRF‑XHR: YES, FETCH‑CSRF‑TOKEN: 1), and I/O patterns (Content-Length: 0, Content-Type: application/x-www-form-urlencoded).
Mitigation & Recommendations
Patch immediately:
- Oracle has released a patch bundle specific to CVE-2025-61882.
- Download and apply it via My Oracle Support, referencing the latest security alert.
Hunt for indicators of compromise (IoCs):
Table description: the first two IOCs are IP addresses, the third is a command, and the last three reference files associated with the Oracle exploit script, respectively named:
oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters(.zip,/exp.py, /server.py)

What the Cyber Fusion Center is Doing
The CFC will continue to monitor the situation and send an advisory update if needed.
Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
Tenable IDs: CVE-2025-61882
References
Oracle Security Alert — CVE-2025-61882 (official):
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html#AppendixEBS
Cybersecurity News — Oracle E-Business Suite 0-day vulnerability:
https://cybersecuritynews.com/oracle-e-business-suite-0-day-vulnerability/
SANS/ISC Diary — Quick analysis of possible Oracle E-Business Suiteexploit script (CVE-2025-61882):
.webp)