Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability results from improper identity verification (CWE-287 — Improper Authentication) in the BI Publisher integration component. An attacker with network access to the HTTP interface can bypass authentication mechanisms without possessing any credentials and without user interaction. Low attack complexity (AC:L) and no required privileges (PR:N) make the exploit fully automatable.
A successful attack leads to complete takeover of Oracle Concurrent Processing, including full breach of confidentiality, integrity and availability of the system, as well as potential ability to trigger denial of service (DoS).
Apply immediately the patch provided by Oracle as part of the July 2025 Critical Patch Update (CPU). Detailed information about available patches can be found at: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html and https://blogs.oracle.com/security/post/apply-july-2025-cpu. Until the patch is applied, it is recommended to restrict network access to the HTTP interface of the BI Publisher Integration component to trusted hosts only.
Oracle E-Business Suite — Oracle Concurrent Processing product (component: BI Publisher Integration) in versions 12.2.3 through 12.2.14 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOracle Concurrent Processing
APPOracle12.2.3 – 12.2.14
CISA KEV — detailsi
- Vendori
- Oracle ↗
- Producti
- E-Business Suite
- Added to KEVi
- October 6, 2025
- Remediation deadline (US Federal)i
- October 27, 2025(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing.
Related vulnerabilities
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher ...
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: Request Submi...
Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)
Pominięcie uwierzytelnienia w Oracle Identity Manager REST WebServices
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component:...