CVE-2025-61882

Published Oct 5, 2025

Last updated 3 months ago

Oracle Concurrent Processing

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-61882 is a vulnerability in the Oracle E-Business Suite, specifically within the Oracle Concurrent Processing component. It can be exploited remotely without authentication, meaning an attacker doesn't need a username or password to exploit it. The vulnerability affects versions 12.2.3 through 12.2.14 of the Oracle E-Business Suite. Successful exploitation of CVE-2025-61882 can lead to remote code execution. Oracle recommends applying the updates provided in the security alert as soon as possible and emphasizes the importance of maintaining actively supported versions and installing all critical security patches promptly. Applying the October 2023 Critical Patch Update is a prerequisite for implementing the fixes.

Description: Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Source: secalert_us@oracle.com
NVD status: Analyzed
Products: concurrent_processing

Insights

Analysis from the Intruder Security Team

Published Oct 14, 2025 Updated Oct 14, 2025

While this vulnerability is significant, Oracle EBS should not be exposed to the internet due to the nature of the service and the sensitivity of the data housed within it.

Oracle have made articles in the past to describe deployments that are internet facing and relying upon Oracle WAF for protection, which is not best practice. This is directly contradicted by the official deployment documentation. The documentation acknowledges that this should not be exposed to the internet, and if it needs to be a bastion host should be used to access the instance (scenario 3).

Disappointingly, the UK's NCSC also mistakenly links to the poor quality article over the deployment documentation.

Our recommendation remains the same, Oracle EBS should not be exposed to the internet. Intruder's scanners report an attack surface risk as an issue if this panel is exposed.

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Oracle E-Business Suite Unspecified Vulnerability
Exploit added on: Oct 6, 2025
Exploit action due: Oct 27, 2025
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-287

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:concurrent_processing:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AD6FCD78-CA2D-4594-A5FA-EDD501044E9F",
            "versionEndIncluding": "12.2.14",
            "versionStartIncluding": "12.2.3"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.