The National Cyber Security Centre (NCSC) has issued a critical advisory regarding a zero-day vulnerability in Oracle’s E-Business Suite (EBS), which is actively being exploited.
Designated as CVE-2025-61882, the flaw is embedded within the BI Publisher Integration component of Oracle’s Concurrent Processing. This vulnerability permits unauthenticated remote code execution.
Entities operating EBS versions 12.2.3 through 12.2.14, particularly those with internet exposure, face the most significant risk.
Oracle BI Publisher Vulnerability (CVE-2025-61882)
Oracle’s security notice confirms that attackers can dispatch meticulously crafted HTTP requests to the BI Publisher Integration servlet without prior authentication, potentially leading to full system compromise.
No user interaction is necessary for this exploit. A proof-of-concept HTTP request pattern is illustrated below:
The successful exploitation of this flaw could enable arbitrary command execution under the Oracle EBS application account, which may result in data exfiltration, complete system takeover, or lateral movements within the corporate network.
Indicators of compromise (IoCs) noted in Oracle’s advisory encapsulate anomalous servlet URIs, unexpected child processes spawned by $XBPSRV, and suspicious outbound connections on non-standard ports.
The NCSC is diligently monitoring reports of incidents and has discerned numerous exploitation attempts against organizations in the UK.
Exposed EBS instances on the public internet are primarily targeted, although poorly segmented internal networks are also susceptible to threat actors who may obtain an initial foothold.
| Risk Factors | Details |
| Affected Products | Oracle E-Business Suite (EBS) versions 12.2.3 – 12.2.14; BI Publisher Integration component of Oracle Concurrent Processing |
| Impact | Remote code execution (RCE) |
| Exploit Prerequisites | Network access to the exposed BI Publisher Integration endpoint; no authentication or user interaction required |
| CVSS 3.1 Score | 9.8 (Critical) |
Mitigation
In response to CVE-2025-61882, the NCSC advises UK organizations to implement a multi-layered defense strategy.
It is imperative to apply Oracle’s October 2023 Critical Patch Update, followed by the specific EBS patch addressing CVE-2025-61882. Detailed installation guidelines are provided in Oracle’s advisory.
Utilize the provided IoCs to scrutinize logs, web access records, and process listings for indications of exploitation. Tools such as grep and SIEM rules can assist in identifying:
Minimize public exposure of Oracle EBS components. When internet access is essential, it is critical to establish web application firewalls (WAFs), implement stringent access control lists (ACLs), and adhere to network perimeter guidelines as specified by the NCSC.
Deploy Endpoint Detection and Response (EDR) agents on application servers and conduct behavioral analyses to detect unusual child processes or unusual outbound traffic.
If a compromise is suspected, promptly contact Oracle PSIRT and report to the NCSC through its online portal. Timely notification can facilitate coordinated responses and threat intelligence exchange.
Additional complimentary NCSC resources encompass guidance on vulnerability management, strategies to prevent lateral movement, and the Early Warning service, which provides real-time alerts.
Taking these precautions will bolster the resilience of Oracle E-Business Suite against current and future vulnerabilities.
Source link: Cybersecuritynews.com.
