Oracle has published a security update to address an unauthenticated remote vulnerability (CVE-2025-61882) affecting Oracle E-Business Suite (EBS). This vulnerability is being actively exploited and may allow remote code execution. 

CVE-2025-61882 is a vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing within Oracle E-Business Suite. An unauthenticated attacker can send specially crafted HTTP requests to the affected component resulting in full system compromise. No user interaction is required. 

The NCSC will continue to monitor for any impact of these vulnerabilities on UK organisations. 

Organisations using Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14 are affected. Organisations who have exposed Oracle EBS to the internet are at greatest risk. 

The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. In this case, if you use Oracle EBS, you should take the following priority actions: 

1. Perform a compromise assessment. IoCs have been published in Oracle’s advisory. 
2. If you believe you have been compromised, you should contact Oracle PSIRT and if you are in the UK, also report it to the NCSC. 
3. Install the latest Oracle E-Business Suite (EBS) update. The October 2023 Critical Patch Update must be installed first before this update. 
4. Perform continuous network monitoring and threat hunting. 
5.  NCSC recommend having minimal software accessible from the public internet. Where Oracle EBS needs to be exposed to the internet, the appropriate Oracle deployment guidelines should be followed. The NCSC has guidance on Securing network perimeters and a blog post “Products on your perimeter considered harmful (until proven otherwise)”. 

The NCSC provides a range of free guidance, services and tools that help to secure systems. 

• Follow NCSC guidance including vulnerability management and preventing lateral movement.
• If your organisation is in the UK, you can sign up to the free NCSC Early Warning service to receive notifications of potential threats on your network.
• The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process.