CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-61882

CVSS 9.8v3.1pub. 2025-10-05upd. 2025-10-27

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

🤖 AI Analysis
How it works

The vulnerability results from improper identity verification (CWE-287 — Improper Authentication) in the BI Publisher integration component. An attacker with network access to the HTTP interface can bypass authentication mechanisms without possessing any credentials and without user interaction. Low attack complexity (AC:L) and no required privileges (PR:N) make the exploit fully automatable.

Impact

A successful attack leads to complete takeover of Oracle Concurrent Processing, including full breach of confidentiality, integrity and availability of the system, as well as potential ability to trigger denial of service (DoS).

Mitigation & patch

Apply immediately the patch provided by Oracle as part of the July 2025 Critical Patch Update (CPU). Detailed information about available patches can be found at: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html and https://blogs.oracle.com/security/post/apply-july-2025-cpu. Until the patch is applied, it is recommended to restrict network access to the HTTP interface of the BI Publisher Integration component to trusted hosts only.

Who is affected

Oracle E-Business Suite — Oracle Concurrent Processing product (component: BI Publisher Integration) in versions 12.2.3 through 12.2.14 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Oracle Concurrent Processing

    APP
    Oracle
    12.2.3 – 12.2.14

CISA KEV — detailsi

Vendori
Oracle
Producti
E-Business Suite
Added to KEVi
October 6, 2025
Remediation deadline (US Federal)i
October 27, 2025(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 27 października 2025
Tags
Auth BypassDoS
CWE
References

Related vulnerabilities

CVE-2021-2295HIGH8.1ten sam produkt

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher ...

CVE-2024-21089MEDIUM6.5ten sam produkt

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: Request Submi...

CVE-2026-35273CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Pominięcie uwierzytelnienia w Oracle PeopleSoft PeopleTools (RCE/Takeover)

CVE-2025-61757CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Pominięcie uwierzytelnienia w Oracle Identity Manager REST WebServices

CVE-2022-21587CRITICAL9.8⚠ KEVten sam vendor

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component:...