Oracle E-Business Suite Vulnerability: Emerging Threat Published on Risk Ledger

Summary

Oracle has disclosed CVE-2025-61882 (CVSS: 9.8) affecting Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14. This vulnerability enables attackers to perform unauthenticated remote exploitation thereby gaining access to the affected systems and enabling sensitive data theft.

Oracle has released patches and guidance in response to this exploit.
‍

Threat Description

On 5 October 2025, Oracle disclosed CVE-2025-61882, enabling an attacker to exploit internet-facing instances of EBS versions 12.2.3 to 12.2.14. Active exploitation has been observed by the National Cyber Security Centre (NCSC) along with major cyber security vendors such as CrowdStrike.

Given the relative ease with which this vulnerability can be exploited and the access that can be provided, the vulnerability has been given a CVSS of 9.8.
‍

Applicability

This CVE is applicable to internet-facing instances of Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14. Internal systems not accessible via the internet are at lower risk; however, they are at risk of exploitation by any attackers who may have already compromised an organisation’s internal network.
‍

Relevance to the supply chain

EBS is widely used as an Enterprise Resource Planning (ERP) system. Given the likely amount of internal, sensitive data held in these systems, it is imperative for clients to understand whether their data may be held in vulnerable EBS instances and is therefore at risk of compromise. Furthermore, this vulnerability may allow for remote code execution, creating the possibility that an attacker may be able to perform additional malicious activity, such as moving through a network, and therefore potentially causing wider impact.
‍

What should you do about it

If you use Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14:

We recommend you take the following steps as described by the NCSC:

1. Perform a compromise assessment. IoCs have been published in Oracle’s advisory.
2. If you believe you have been compromised, you should contact Oracle PSIRT and if you are in the UK, also report it to the NCSC.
3. Install the latest Oracle E-Business Suite (EBS) update. The October 2023 Critical Patch Update must be installed before this update.
4. Perform continuous network monitoring and threat hunting.
5. NCSC recommends having minimal software directly accessible from the public internet. Where Oracle EBS needs to be exposed to the internet, the appropriate Oracle deployment guidelines should be followed. The NCSC has guidance on Securing network perimeters and a blog post “Products on your perimeter considered harmful (until proven otherwise)”.

If you are a Risk Ledger customer:

You can use the Emerging Threats feature in the Risk Ledger product to monitor all of your suppliers responses to this threat, including any mitigating actions in progress.
‍

Where to find more information

The official Oracle advisory contains up-to-date information and security updates affecting CVE-2025-61882:

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

NCSC Advisory:

https://www.ncsc.gov.uk/news/active-exploitation-vulnerability-affecting-oracle-ebusiness-suite

CrowdStrike report with additional background:

https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/

‍