Oracle has disclosed a critical vulnerability (CVE-2025-61882, CVSS 9.8) affecting Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14.
Oracle has disclosed CVE-2025-61882 (CVSS: 9.8) affecting Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14. This vulnerability enables attackers to perform unauthenticated remote exploitation thereby gaining access to the affected systems and enabling sensitive data theft.
Oracle has released patches and guidance in response to this exploit.
On 5 October 2025, Oracle disclosed CVE-2025-61882, enabling an attacker to exploit internet-facing instances of EBS versions 12.2.3 to 12.2.14. Active exploitation has been observed by the National Cyber Security Centre (NCSC) along with major cyber security vendors such as CrowdStrike.
Given the relative ease with which this vulnerability can be exploited and the access that can be provided, the vulnerability has been given a CVSS of 9.8.
This CVE is applicable to internet-facing instances of Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14. Internal systems not accessible via the internet are at lower risk; however, they are at risk of exploitation by any attackers who may have already compromised an organisation’s internal network.
EBS is widely used as an Enterprise Resource Planning (ERP) system. Given the likely amount of internal, sensitive data held in these systems, it is imperative for clients to understand whether their data may be held in vulnerable EBS instances and is therefore at risk of compromise. Furthermore, this vulnerability may allow for remote code execution, creating the possibility that an attacker may be able to perform additional malicious activity, such as moving through a network, and therefore potentially causing wider impact.
If you use Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14:
We recommend you take the following steps as described by the NCSC:
If you are a Risk Ledger customer:
You can use the Emerging Threats feature in the Risk Ledger product to monitor all of your suppliers responses to this threat, including any mitigating actions in progress.
The official Oracle advisory contains up-to-date information and security updates affecting CVE-2025-61882:
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
NCSC Advisory:
https://www.ncsc.gov.uk/news/active-exploitation-vulnerability-affecting-oracle-ebusiness-suite
CrowdStrike report with additional background:
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.