ThreatLevelBeta
Emergency Fix

CVE-2025-61882

Remote Code Execution in Oracle E-Business Suite
Loading...

Summary

Oracle E-Business Suite's Concurrent Processing / BI Publisher Integration is vulnerable to an unauthenticated remote code execution chain reachable through exposed web endpoints. Oracle, CrowdStrike, and Google/Mandiant report that attackers can combine authentication bypass, request smuggling/SSRF-style requests, and malicious XSLT template processing to reach arbitrary code execution. In-the-wild exploitation has been tied to extortion activity and data theft against internet-exposed EBS systems.

Why Emergency Fix?

6/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
No
PoC / Exploit
Yes
github.com
Impact

Execute arbitrary commands as the Oracle EBS application user and establish persistence or steal data.

RCE (Remote Code Execution)
Exploitation Requirements

None — vulnerable in default configuration

Exploitation Process

An attacker sends crafted HTTP requests to Oracle EBS web endpoints, starting with POSTs to /OA_HTML/SyncServlet to reach an authentication-bypass path. They then use /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload or reference a malicious XSLT template; previewing or processing that template makes the BI Publisher engine run attacker-controlled code. Successful exploitation is typically followed by outbound connections from the Java web server process, a reverse shell, or a web shell on the application tier.

Detection Resources
Manual Detection
oracle.comcrowdstrike.comcloud.google.com
3
Script Detection
github.com
1
Scanner Detection
Tenable NessusQualysRapid7 InsightVM
3

Affected Software

Vendor:Oracle
ProductAffected Versions
Oracle E-Business Suite12.2.3 through 12.2.14
Description

Enterprise software suite for finance, HR, procurement, supply chain, and other back-office operations. The vulnerable area is Concurrent Processing with BI Publisher Integration, which generates reports and manages templates.

Deployment:Mixed (internet/internal)
|
Protocol:HTTP
|
Ports:80, 443, 8000
Affected ComponentConcurrent Processing's BI Publisher Integration, including template upload, preview, and XSLT/template-processing flows exposed through EBS web endpoints.

Concurrent Processing's BI Publisher Integration, including template upload, preview, and XSLT/template-processing flows exposed through EBS web endpoints.

Affected Endpoints(5)/OA_HTML/SyncServlet, /OA_HTML/RF.jsp…
1./OA_HTML/SyncServlet
2./OA_HTML/RF.jsp
3./OA_HTML/OA.jsp
4./OA_HTML/configurator/UiServlet
5./OA_HTML/help/../ieshostedsurvey.jsp
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Temporarily remove internet exposure from EBS services and place the application behind a WAF until patching is complete; this may disrupt external access and integrations.

Temporarily remove internet exposure from EBS services and place the application behind a WAF until patching is complete; this may disrupt external access and integrations.

www.crowdstrike.com
Patch

Not available

Update
Apply Oracle's emergency Security Alert for Oracle E-Business Suite 12.2.3-12.2.14. Oracle notes that the October 2023 Critical Patch Update is a prerequisite for applying this fix.

Apply Oracle's emergency Security Alert for Oracle E-Business Suite 12.2.3-12.2.14. Oracle notes that the October 2023 Critical Patch Update is a prerequisite for applying this fix.

www.oracle.com
Threat Intelligence
EPSS Score89.4%

Probability of exploitation in the next 30 days

EPSS Percentile100%

Worse than 100% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
cloud.google.com
Threat Actors2
GRACEFUL SPIDER

CrowdStrike-tracked cluster likely involved in Oracle EBS mass exploitation and data exfiltration

CL0P / CL0P extortion brand

campaign used to claim Oracle EBS data theft and extort victims

Detection Rules3
Other
Java process launches `bash -c` with host-enumeration commands such as `cat /etc/fstab`, `cat /etc/hosts`, `df -h`, `ip addr`, or `cat /proc/net/arp`.
Other
Java process makes outbound TCP connections to non-RFC1918 addresses on port 443 after template preview or servlet abuse.
Other
HTTP exploitation pattern: POST to `/OA_HTML/SyncServlet`, then GET/POST to `/OA_HTML/RF.jsp` or `/OA_HTML/OA.jsp`, often with `return_url` CRLF payloads and malicious XSL/XSLT template preview.

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS Base Score

9.8
Critical

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-287 Improper Authentication
|
NVD:CVE-2025-61882
|
Version From:12.2.3
|
Version Upto:12.2.14

Affected Software (CPE) (1)

  • cpe:2.3:a:oracle:concurrent_processing:*:*:*:*:*:*:*:*

Sources

11
SourceArticle
www.oracle.comOracle Security Alert Advisory - CVE-2025-61882
blogs.oracle.comApply Oracle Security Alert CVE-2025-61882 for Oracle E-Business Suite (EBS)
www.oracle.comOracle Critical Patch Update Advisory - October 2025
cloud.google.comOracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
www.crowdstrike.comCrowdStrike Identifies Campaign Targeting Oracle E-Business Suite via Zero-Day Vulnerability Tracked as CVE-2025-61882
www.cisa.govKnown Exploited Vulnerabilities Catalog
www.tenable.comCVE-2025-61882
threatprotect.qualys.comOracle E-Business Suite Remote Code Execution Vulnerability Exploited in the Wild (CVE-2025-61882)
www.rapid7.comOracle E-Business Suite: CVE-2025-61882: Critical Patch Update
github.comrxerium/CVE-2025-61882-CVE-2025-61884
github.comMindflareX/CVE-2025-61882-POC

Priority History

Emergency FixLoading...

Initial analysis

Fix SoonLoading...

Reassessed to Fix Soon

Emergency FixLoading...

Elevated — additional risk factors confirmed