← back
CVE-2025-61882

CVE-2025-61882

CVSS 9.8 CRITICALEPSS 99.7%● KEVCWE-287
In short

An unauthenticated attacker can remotely exploit Oracle Concurrent Processing through HTTP to gain complete control of the system. This is a critical flaw in versions 12.2.3-12.2.14 that requires no special conditions or user interaction to exploit.

Technical detail

An unauthenticated remote vulnerability (CWE-287: Improper Authentication) in Oracle E-Business Suite's Concurrent Processing BI Publisher Integration component allows network-based HTTP exploitation with low attack complexity. Successful exploitation results in complete system compromise including confidentiality, integrity, and availability impact (CVSS 9.8).

Summary generated and translated by AI from the official description.
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Oracle Corporation · Oracle Concurrent Processing
public PoCs found5
githubgithub.com/George0Papasotiriou/CVE-2025-61882-Oracle-BI-Publisher-RCE1githubgithub.com/MindflareX/CVE-2025-61882-POC0githubgithub.com/Zhert-lab/CVE-2025-61882-CVE-2025-618840githubgithub.com/sid-203/Enterprise-Information-Security-Risk-Assessment-Oracle-E-Business-Suite-Case-Study0githubgithub.com/NetVanguard-cmd/CVE-2025-618820
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blogs.oracle.com/security/post/apply-july-2025-cpuhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61882https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/https://www.oracle.com/security-alerts/alert-cve-2025-61882.html