CVE-2025-61882
Published: 05 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-61882 is a critical vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite, specifically affecting the BI Publisher Integration component. Supported versions impacted include 12.2.3 through 12.2.14. Classified under CWE-287, it carries a CVSS 3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts. The vulnerability was published on 2025-10-05.
An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Concurrent Processing, potentially resulting in a full takeover of the component. No special privileges, user interaction, or complex preconditions are required, making it highly accessible over the network.
Oracle advisories, including the security alert at https://www.oracle.com/security-alerts/alert-cve-2025-61882.html and a blog post urging application of the July 2025 Critical Patch Update at https://blogs.oracle.com/security/post/apply-july-2025-cpu, detail patches and mitigation steps for affected systems.
This vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61882), signaling real-world exploitation. CrowdStrike has documented a campaign targeting Oracle E-Business Suite via this zero-day (https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/).
Details
- CWE(s)
- KEV Date Added
- 06 October 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows unauthenticated remote exploitation over HTTP of a public-facing Oracle E-Business Suite component, directly mapping to T1190: Exploit Public-Facing Application.