Cybersecurity

A critical zero-day vulnerability, identified as CVE-2025-61882, has been discovered in Oracle E-Business Suite, posing a significant threat to enterprise environments. The vulnerability has a CVSS 3.1 score of 9.8 and enables remote code execution without authentication across multiple Oracle E-Business Suite versions.

Oracle E-Business Suite RCE Vulnerability

The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. It specifically targets the Oracle Concurrent Processing BI Publisher Integration component via the HTTP protocol. Security researchers have identified this flaw, which allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems through network-based exploitation with low attack complexity.

Oracle’s security advisory classifies this vulnerability as “remotely exploitable without authentication,” meaning attackers can exploit it without requiring valid credentials. The attack vector utilizes HTTP communications, delivering high impact across confidentiality, integrity, and availability metrics.

Organizations can detect vulnerable instances using Nuclei detection templates that check for “E-Business Suite Home Page” text while comparing Last-Modified header timestamps against October 4, 2025. The Oracle October 2023 Critical Patch Update is a prerequisite for applying the necessary security patches. Systems with modification dates preceding this threshold are susceptible to exploitation.

Active Exploitation

Active exploitation attempts have been documented, and specific Indicators of Compromise (IOCs) have been identified. These include malicious IP addresses 200[.]107[.]207[.]26 and 185[.]181[.]60[.]11 conducting GET and POST activities. Threat actors are using reverse shell commands to establish outbound TCP connections for persistent access.

Forensic analysis has revealed malicious artifacts, including an exploitation toolkit containing Python scripts. These tools demonstrate sophisticated attack methodologies potentially linked to known threat groups such as Scattered Spider, Lapsus$, and Cl0p ransomware operations.

Oracle recommends the immediate deployment of patches across all affected E-Business Suite installations. Only systems under Premier Support or Extended Support receive security updates. Organizations should implement network monitoring for the identified IOCs and conduct comprehensive vulnerability assessments using available detection templates and Shodan queries targeting html:”OA_HTML” patterns to identify exposed instances.