Emergent Threat Advisory - Oracle E-Business Suite (EBS): What BreachRisk customers need to know

Oracle has issued a Security Alert Advisory addressing a vulnerability in Oracle E-Business Suite (CVE-2025-61882). This vulnerability can give an attacker the ability to engage in a wide range of activities and possibly further progress to other parts of a network. The attack is easy to conduct, and affected companies could be open to imminent compromise by attackers. BreachBits has declared this to be an Emergent Threat (BBET-25OCT-01) and is initiating priority detection indications to BreachRisk customers.

This is a developing situation. Some information in this article may rely on speculative sources outside of BreachBits. This article may be updated as more information becomes available, and some information may change.

Background

Oracle has issued a Security Alert Advisory addressing a vulnerability in Oracle E-Business Suite versions 12.2.3 - 12.2.14. A patch is available from Oracle, and Oracle recommends customers apply the update as soon as possible.

This vulnerability has been exploited by actual attackers before a patch was released (i.e. this is a zero-day flaw). The method to exploit the vulnerability is known to attackers. Some reports indicate that this exploit was being used by advanced threat actors 2 months ago on August 9th. It appears the patch from Oracle was not released until October 4, 2025. This CVE is in CISA's Known Exploited Vulnerabilities Catalog, an authoritative source cataloging vulnerabilities that have actually been exploited by hackers.

Background information may be become available as the situation develops.

Impact and Likelihood

CVE-2025-61882: Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). According to the National Vulnerability Database, a successful attack has a high impact to confidentiality, integrity, and availability. For attackers, complexity of the attack is low with no privileges or user interaction required, meaning that attack success likelihood is high.

Affected Applications

Oracle reports that Oracle E-Business Suite, versions 12.2.3-12.2.14 are affected.

What we are doing

BreachBits has declared an Emergent Threat and issued serial number BBET-25OCT-01 and is notifying customers to support detection, verification, and testing efforts. BreachBits has analyzed this threat and this threat can be detected by BreachRisk™ services. We are still determining if the threat can be verified and tested. Our team will continue to monitor this issue and will notify customers if the situation changes.

What You Should Do

Patches for the vulnerabilities are now available. Refer to https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Consider taking the following actions, especially if you are not a BreachRisk™ customer.:

1. Identify if the threat is present on your systems.

2. Pinpoint where you are affected.

3. Consider how your business would be impacted if the affected element were to be shut down, breached, or taken over by an attacker.

4. Determine if this risk is significant enough to divert resources from other efforts, and make a decision to attempt a fix or not.

5. If you attempt to fix, follow up to verify the fix was applied. You may need to repeat this cycle as more information emerges.

Now that the vulnerability is public, be on the lookout for further guidance from software developers and security firms.

If you are a BreachRisk™ Subscriber

If you are a BreachRisk™ for Business customer, we are already examining your external attack surface. If you are a BreachRisk™ for Service Providers, BreachRisk™ Portfolio TPRM, or BreachRisk™ for Insurance customer, we are already examining the attack surface of companies with monitoring or autonomous testing enabled.

You should also do the following to enhance performance during this Emergent Threat:

1. Check your email over the next appx 48-72 hours for a summary of whether we believe you are affected or not.

2. BreachRisk™ for Business customers

   1. Provide any IT infrastructure that we haven't already discovered via the Verifications or Scope function. This will allow us to identify more of the attack pathways that are accessible from the internet.

   2. Enable Penetration Testing if you have a Pro or Premium subscription. This will allow us to test any attack pathways we identify to see if an attacker can achieve a breach.

   3. Since we are inspecting your external attack surface, you should have your security team search your internal/compartmentalized systems if applicable, which we may not be able to see.

3. BreachRisk™ for Service Providers customers

   1. Provide any IT infrastructure that we haven't already discovered via the Scope function. This will allow us to identify more of the attack pathways that are accessible from the internet.

   2. Consider adding tenets to Essentials level at a minimum. This will allow us to ensure they are included in our Emergent Threat scanning. You can later decide if affected clients should be placed on Advanced to allow us to test the threat to eliminate all false positives.

   3. Since we are inspecting your external attack surface, you should have your team search your internal/compartmentalized systems if applicable, which we may not be able to see.

4. BreachRisk™ for Insurance, cyber insurance brokers and carrier customers

   1. Ensure your policyholders and clients are placed in the Pre-Claim Intervention group (i.e. "My Book" or "My Clients"). This will allow us to prioritize scanning of applicable entities.

   2. For The Cyber Questionnaire Validator subscribers, also place appropriate applicants in the "My Applications" group, as these are prioritized after on-book risks.

   3. Monitor your portfolio for a sharp risk in their BreachRisk™ Score, which may indicate an affected company.

   4. For brokers: consider helping your client look for this vulnerability and related issues during your insurability assessment.

   5. For underwriters: consider instructing your team to ask applicants if they use technologies related to this threat.

   6. For claims managers: as we provide you with reports on where your book is affected, begin preparing notifications to your stakeholders.

5. BreachRisk™ Portfolio customers

   1. Ensure any critical third parties are added to your portfolio. This will allow us to ensure they are included in our Emergent Threat scanning.

   2. Monitor your portfolio for a sharp risk in their BreachRisk™ Score, which may indicate an affected company.

   3. If you have subsidiaries or are a member of a co-op scheme: Consider establishing a data sharing connection within your portfolio to allow security personnel to coordinate with each other. (Attackers have a harder time when defenders coordinate)

6. If you need any assistance or questions, contact us at support@breachbits.com.

What Happens Next

We will determine if we can verify and test this threat. We will continue to monitor this issue and update this web log if the situation changes.

Further Reading and What We're Reading

• https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

• https://nvd.nist.gov/vuln/detail/CVE-2025-61882

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

• https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

• https://www.securityweek.com/exploitation-of-oracle-ebs-zero-day-started-2-months-before-patching/

Update Log

• 08 Oct 2025, initial publish