CVE-2025-61882
CVE-2025-61882 is a critical-severity vulnerability in Oracle Concurrent Processing with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-10-06). The underlying weakness is classified as CWE-287.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-10-06)
- EU (EUVD) id: EUVD-2025-32142
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-10-06)
- Weakness: CWE-287
- Affected product: Oracle Concurrent Processing
- Published:
- Last modified:
Description
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2025-61882: Oracle Concurrent Processing Authentication Bypass in BI Publisher Integration
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-61882 |
| Published | 2025-10-05 |
| Severity (CVSS 3.1) | 9.8 Critical — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-287: Improper Authentication |
| EPSS | 0.99722 (99.95th percentile) |
| KEV | Yes — added 2025-10-06 |
| EU Exploited | Yes — since 2025-10-06 |
| Assigner | [email protected] |
Summary
CVE-2025-61882 is a critical authentication bypass vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite, specifically within the BI Publisher Integration component. It enables an unauthenticated remote attacker to compromise Oracle Concurrent Processing over HTTP with low complexity and no user interaction. Successful exploitation can result in a complete takeover of the affected instance.
Background
Oracle E-Business Suite (EBS) is a widely deployed enterprise resource planning (ERP) platform used by large organizations for financials, supply chain, manufacturing, and human resources. The Concurrent Processing subsystem handles background job scheduling and execution, while the BI Publisher Integration component enables report generation and distribution. The integration surface between these two components exposes HTTP-accessible endpoints that, due to the flaw described in this advisory, fail to enforce proper authentication.
Given Oracle EBS's prevalence in government, healthcare, and Fortune 500 environments, this vulnerability has a broad and high-value attack surface.
Root Cause
The vulnerability is classified under CWE-287: Improper Authentication. The BI Publisher Integration endpoints within Oracle Concurrent Processing fail to adequately verify the identity of incoming HTTP requests. This omission allows an attacker to interact with administrative or job-management functionality without presenting valid credentials. The root cause is likely a missing or misconfigured authentication check on one or more integration servlets or REST endpoints that bridge BI Publisher report requests into the Concurrent Processing manager.
Impact
The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a Base Score of 9.8 (Critical) and maps directly to the following impacts:
| Metric | Value | Impact |
|---|---|---|
| Attack Vector | Network | Exploitable from anywhere on the internet |
| Attack Complexity | Low | No special conditions or race conditions required |
| Privileges Required | None | Fully unauthenticated |
| User Interaction | None | No phishing or social engineering needed |
| Scope | Unchanged | Impact limited to the vulnerable component |
| Confidentiality | High | Full data exposure from Concurrent Processing |
| Integrity | High | Data and job definitions can be altered |
| Availability | High | Service disruption or complete shutdown possible |
In practical terms, an attacker who exploits this flaw can achieve a full takeover of Oracle Concurrent Processing, with downstream risks to the integrity of ERP batch jobs, financial reports, and data processed through the BI Publisher pipeline.
Exploitation Walkthrough
Ethics and legal notice: The information below is provided for defensive purposes only — to help security teams understand attacker behavior and improve detection. Do not attempt to exploit systems you do not own or have explicit permission to test.
- Reconnaissance — Identify publicly reachable Oracle EBS instances (e.g., via HTTP banners, SSL certificates, or known URL paths).
- Endpoint enumeration — The vulnerable BI Publisher Integration endpoints are accessible over HTTP/HTTPS without authentication.
- Authentication bypass — An attacker crafts an HTTP request to the affected endpoint, omitting or supplying arbitrary credentials. The integration layer accepts the request because the authentication check is either absent or improperly enforced.
- Post-exploitation — With access to Concurrent Processing, the attacker may submit arbitrary jobs, exfiltrate report data, modify existing job definitions, or disrupt the processing queue.
No working exploit code is provided here. Defenders should focus on patching, network segmentation, and behavioral detection rather than attempting to reproduce the attack.
Affected and Patched Versions
| Status | Version Range |
|---|---|
| Affected | Oracle E-Business Suite 12.2.3 through 12.2.14 |
| Patched | Apply Oracle's July 2025 Critical Patch Update (CPU) or later vendor-supplied patch |
Specific patch numbers and file versions were not available in the source data at the time of this advisory. Organizations should consult Oracle's official CPU documentation for the exact patch set applicable to their environment.
Remediation
- Apply the patch — Install Oracle's July 2025 Critical Patch Update (CPU) as soon as change-control windows allow. This is the only definitive fix.
- Network segmentation — Restrict Oracle EBS and Concurrent Processing interfaces to trusted administrative networks. Do not expose these endpoints to the public internet.
- Reverse proxy / WAF — Place a Web Application Firewall (WAF) or reverse proxy in front of Oracle EBS endpoints with strict allow-listing rules for BI Publisher Integration paths.
- Credential rotation — If exploitation is suspected, rotate all service-account credentials and Oracle EBS user passwords, as a full takeover may have exposed stored secrets.
- Audit job queues — Review recently submitted concurrent requests and BI Publisher report schedules for unauthorized or anomalous entries.
Detection
Security teams should monitor for the following indicators:
- Unauthenticated HTTP requests to BI Publisher Integration URLs under the Concurrent Processing context (look for requests without valid session cookies or Basic Auth headers).
- Anomalous concurrent requests — sudden spikes in job submissions, especially outside business hours or from unexpected source IPs.
- Unexpected report output — BI Publisher reports generated or downloaded by unknown users or service accounts.
- Network flow anomalies — outbound connections from the Oracle EBS application tier to unexpected destinations, which may indicate post-exploitation data exfiltration.
Where possible, enable detailed HTTP access logging on the Oracle HTTP Server (OHS) or load-balancer fronting the EBS tier, and forward these logs to a SIEM for correlation.
Assessment
With an EPSS score of 0.99722 (99.95th percentile) and confirmed inclusion in both the CISA KEV catalog and the EU Exploited Vulnerabilities Database as of 2025-10-06, this vulnerability is not merely theoretical — it is being actively and widely exploited. The combination of unauthenticated network access, low attack complexity, and high impact makes this one of the most severe Oracle EBS flaws in recent memory.
Key takeaways:
- Patching timelines for ERP systems are historically slow; the active-exploitation status means "next maintenance window" may be too late.
- The 9.8 CVSS score and KEV listing together should trigger an emergency change process rather than a standard patch cycle.
- Organizations running Oracle EBS should treat this as a compromise assessment trigger if the vulnerable versions were internet-facing at any point after 2025-10-05.
References
- https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
- https://blogs.oracle.com/security/post/apply-july-2025-cpu
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61882
- https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
Frequently asked questions
- What is CVE-2025-61882?
- Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- How severe is CVE-2025-61882?
- CVE-2025-61882 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-61882 being actively exploited?
- Yes. CVE-2025-61882 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-10-06, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-61882?
- CVE-2025-61882 affects Oracle Concurrent Processing. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-61882?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-61882 have an EU (EUVD) identifier?
- Yes. CVE-2025-61882 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-32142. It is also flagged as exploited in the EUVD (since 2025-10-06).
- When was CVE-2025-61882 published?
- CVE-2025-61882 was published on 2025-10-05 and last updated on 2026-06-17.
References
- https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
- https://blogs.oracle.com/security/post/apply-july-2025-cpu
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61882
- https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
Affected products (1)
- cpe:2.3:a:oracle:concurrent_processing:*:*:*:*:*:*:*:*
More vulnerabilities in Oracle Concurrent Processing
- CVE-2021-2295 — High (CVSS 8.1): Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher…
- CVE-2024-21089 — Medium (CVSS 6.5): Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: Request Submission and…
All CVEs affecting Oracle Concurrent Processing →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →