A critical vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS) is being actively exploited in the wild, prompting the UK’s National Cyber Security Centre (NCSC) to urge all organisations to apply mitigating controls without delay.
This unauthenticated remote code execution flaw resides in the BI Publisher Integration component of Oracle Concurrent Processing and can lead to full system compromise.
No user interaction is required, and attackers need only send specially crafted HTTP requests to trigger the vulnerability.
What Happened?
Oracle released a security update addressing CVE-2025-61882, which affects Oracle EBS versions 12.2.3 through 12.2.14.
The update, part of the October 2023 Critical Patch Update cycle, patches a flaw in the BI Publisher Integration service.
Exploitation allows adversaries to execute arbitrary code with the privileges of the EBS service account.
Oracle’s advisory includes indicators of compromise (IoCs) and detailed patching instructions.
The NCSC will continue to monitor exploitation activity against UK organisations and provide further guidance as necessary.
Any organisation running Oracle EBS instances between versions 12.2.3 and 12.2.14 is vulnerable, with the greatest risk borne by those exposing EBS directly to the internet.
External exposure eliminates traditional network protections, enabling unauthenticated attackers to exploit the flaw.
Internally hosted EBS deployments behind robust perimeter defences are less at risk, but compromise remains possible through lateral movement if initial network segmentation is inadequate.
CVE Table
| CVE Identifier | Affected Versions | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-61882 | EBS 12.2.3 – 12.2.14 | Remote code execution; full system compromise | Unauthenticated HTTP request to BI Publisher Integration | 9.8 |
Organisations using Oracle EBS should immediately perform a comprehensive compromise assessment using the IoCs published in Oracle’s advisory.
If evidence of intrusion is discovered, contact Oracle PSIRT and report incidents to the NCSC if operating within the UK.
Next, ensure that the October 2023 Critical Patch Update has been applied before installing the specific EBS update addressing CVE-2025-61882.
Continuous network monitoring and proactive threat hunting are essential to detect any anomalous activity post-patch
To reduce future risk, limit direct internet exposure of critical applications.
When public accessibility is required, adhere strictly to Oracle’s deployment guidelines and NCSC’s network perimeter security best practices.
The NCSC offers extensive free guidance on vulnerability management, preventing lateral movement, and securing network perimeters.
UK organisations can also subscribe to the free NCSC Early Warning service for timely alerts on emerging threats.
Implementing a formal vulnerability disclosure process is facilitated by the NCSC Vulnerability Disclosure Toolkit.
By following these priority actions and leveraging NCSC resources, organisations can significantly reduce the risk posed by CVE-2025-61882 and strengthen their overall security posture.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=This unauthenticated remote code execution flaw resides in the BI Publisher Integration component of Oracle Concurrent Processing and can lead to full system compromise.){kind=link}