logo svg
logo

October 6, 2025

Oracle issues urgent patch for CVE-2025-61882 vulnerability

CVE-2025-61882 is a critical pre-auth RCE in Oracle E-Business Suite exploited in extortion and data theft. Learn the impact, patches, detection steps, and a 24-hour response plan.

Mohammed Khalil

Mohammed Khalil

Featured Image

Oracle released an out-of-band security alert for CVE-2025-61882 in E-Business Suite (EBS) 12.2.3 through 12.2.14, confirming a pre-authentication RCE over HTTP that attackers have exploited in the wild. Multiple investigations link the exploitation to Cl0p-style extortion, with mass email campaigns claiming theft of EBS data. This guide explains the vulnerability, the current threat activity, exactly what to patch, how to triage for compromise, and a step-by-step plan you can execute in the next 24 hours.

TL,DR for Busy Leaders

What is CVE-2025-61882

It's a vulnerability in Oracle Concurrent Processing within E-Business Suite, BI Publisher integration, enabling an unauthenticated attacker with network access via HTTP to execute code and take over the component. Oracle scored it CVSS 9.8. Supported affected versions are 12.2.3 to 12.2.14. Oracle notes that if HTTP is listed, secure variants like HTTPS are implicitly impacted. Oracle

Why it is severe:

Affected products: Oracle E-Business Suite 12.2.3 through 12.2.14

Current Threat Landscape, What is Actually Happening

Patching and Hardening, Exactly What to Do

1) Verify prerequisites
Oracle states that the October 2023 Critical Patch Update must be installed before applying the new Security Alert patch for CVE-2025-61882. Confirm CPU level on each EBS instance.

2) Apply the out-of-band patch
Use the Patch Availability Document for your exact EBS version 12.2.3 to 12.2.14. Apply immediately on internet-exposed instances, then on internal instances.

3) Reduce exposure

4) Confirm secure variant coverage
Oracle clarifies that if HTTP is listed, HTTPS is implicitly affected. Do not assume TLS protects you from exploitation.

Detection and Hunting, High-Signal Checks

Oracle and agencies shared IOCs. Focus on ingress from the following IPs, suspicious command invocations, and files with known hashes:

Where to look first

Telemetry tips

If you find any suspicious indicator, treat the host as compromised. Isolate, acquire evidence, and proceed with IR.

Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs)

FAQs (Frequently Asked Questions)

What is CVE-2025-61882
A pre-auth RCE in Oracle EBS Concurrent Processing, BI Publisher integration, affecting 12.2.3 to 12.2.14.

Is it actively exploited
Yes. Multiple alerts and reports indicate exploitation and public PoC.

Do I need October 2023 CPU
Yes, Oracle states this prerequisite explicitly for applying the fix.

Does HTTPS protect me
No. Oracle’s risk matrix implies secure variants are also impacted. Patch and restrict exposure.

Which IOCs should I hunt
Specific IPs, a reverse shell command pattern, and file hashes linked to exploit artifacts.

Who is behind the attacks
Extortion activity aligns with Cl0p-style tactics. Some reports mention overlap with FIN11 infrastructure.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us