Oracle Releases Security Advisory for E-Business Suite

Oracle has reported exploitation of CVE-2025-61882 in the wild as a zero-day vulnerability which, if successfully exploited, could allow unauthenticated remote code execution on affected E-Business Suite appliances

Threat ID:: CC-4705
Threat Severity:: High
Published:: 6 October 2025 12:00 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Oracle E-Business Suite

Versions 12.2.3 to 12.2.14
Note: Oracle E-Business Suite releases r11, r12.0, and r12.1 are in Oracle's "sustaining support" lifecycle stage and no longer receive security updates. These releases should be considered vulnerable and organisations must upgrade to a supported version.

Threat details

Exploitation of CVE-2025-61882

Oracle has reported exploitation of CVE-2025-61882 in the wild as a zero-day vulnerability. The NHS England National CSOC is aware of a public proof-of-concept exploit and assesses further exploitation as highly likely.

Introduction

Oracle has released a security update to address a critical severity vulnerability in the Oracle Concurrent Processing product of the Oracle E-Business Suite BI Publisher integration.

Vulnerability details

CVE-2025-61882 has a CVSSv3 score of 9.8. Successful exploitation could allow a remote unauthenticated attacker to execute arbitrary code and take control of Oracle Concurrent Processing. This vulnerability is under active exploitation.

Remediation advice

Affected organisations must review Oracle's Security Alert Advisory - CVE-2025-61882 and follow the remediation steps below.

Remediation steps

Type	Step
Patch	Required: Organisations must apply the latest Oracle E-Business Suite update as soon as possible. The October 2023 Critical Patch Update must be installed first before the security update addressing CVE-2025-61882 is installed. Note: Organisations running "sustaining support" or end-of-life releases of Oracle E-Business Suite must upgrade to a supported version. https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
Action	Optional: Where possible, organisations are strongly encouraged to hunt for the indicators of compromise detailed in Oracle's advisory. Additional indicators of compromise are available in NHS England's Threat Intelligence Sharing Platform (TISP). For more information on the TISP, please speak to your Regional Security Lead. If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Type

Step

Patch

Required: Organisations must apply the latest Oracle E-Business Suite update as soon as possible.

The October 2023 Critical Patch Update must be installed first before the security update addressing CVE-2025-61882 is installed.

Note: Organisations running "sustaining support" or end-of-life releases of Oracle E-Business Suite must upgrade to a supported version.

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Action

Optional: Where possible, organisations are strongly encouraged to hunt for the indicators of compromise detailed in Oracle's advisory.

Additional indicators of compromise are available in NHS England's Threat Intelligence Sharing Platform (TISP). For more information on the TISP, please speak to your Regional Security Lead.

If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected].

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-61882

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Last edited: 6 October 2025 12:01 pm