Oracle has issued an urgent security alert for a critical zero-day vulnerability affecting Oracle E-Business Suite that allows remote code execution without authentication.
The vulnerability, tracked as CVE-2025-61882, has now received public proof-of-concept detection capabilities from cybersecurity researcher rxerium, significantly increasing the risk for unpatched systems.
Critical Remote Code Execution Flaw
The vulnerability impacts Oracle E-Business Suite versions 12.2.3 through 12.2.14 and carries a maximum CVSS 3.1 score of 9.8, indicating critical severity.
According to Oracle’s security advisory, this flaw can be exploited remotely over a network without requiring username and password credentials, making it particularly dangerous for exposed systems.
The vulnerability exists within the Oracle Concurrent Processing BI Publisher Integration component and utilizes the HTTP protocol for exploitation.
Successful attacks could result in complete system compromise, with a high impact on the confidentiality, integrity, and availability of affected systems.
Security researcher rxerium has developed and released a Nuclei detection template specifically designed to identify vulnerable Oracle E-Business Suite instances.
The detection method works by checking for “E-Business Suite Home Page” text and comparing the Last-Modified header date against October 4, 2025.
Systems with Last-Modified dates before this timestamp are flagged as potentially vulnerable, indicating they haven’t received the necessary security patches.
The detection template is available through rxerium’s GitHub repository and can be executed using the Nuclei vulnerability scanner.
The researcher recommends including specific ports in detection scans for enhanced accuracy when identifying vulnerable systems.
Oracle’s advisory includes concerning indicators of compromise, suggesting potential active exploitation in the wild.
These include suspicious IP addresses (200.107.207.26 and 185.181.60.11), which exhibit GET and POST activity, along with malicious command execution attempts aimed at establishing outbound TCP connections.
Security teams should monitor for specific file hashes associated with exploitation attempts, including a ZIP file named “oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip” and related Python exploitation scripts.
The presence of these indicators suggests threat actors may already be leveraging this vulnerability.
Oracle strongly recommends the immediate application of security updates provided in this alert.
| CVE Details | Information |
|---|---|
| CVE ID | CVE-2025-61882 |
| Affected Product | Oracle E-Business Suite (versions 12.2.3 – 12.2.14) |
| CVSS 3.1 Score | 9.8 (Critical) |
| Impact | Remote Code Execution without authentication |
| Exploit Prerequisites | Network access, no authentication required |
| Attack Vector | Network (HTTP protocol) |
| Component | Oracle Concurrent Processing BI Publisher Integration |
| PoC Available | Yes (Nuclei detection template by rxerium) |
Organizations running affected Oracle E-Business Suite versions should prioritize patching, as the October 2023 Critical Patch Update serves as a prerequisite for applying these emergency fixes.
Given the critical nature of this vulnerability and the availability of detection methods, security teams should conduct immediate scans of their Oracle E-Business Suite infrastructure to identify potentially vulnerable systems before threat actors can exploit this dangerous flaw.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=PoC+Released+for+Oracle+E-Business+Suite+0-Day+%E2%80%93+Remote+Exploit+Available){kind=link}