CVE-2025-61882

CriticalCISA KEVActive ExploitationRansomware-linked

Published: 05 October 2025

Published

05 October 2025

Modified

27 October 2025

KEV Added

06 October 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.8938 99.6th percentile

Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61882 is a critical-severity Improper Authentication (CWE-287) vulnerability in Oracle Concurrent Processing. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-4 (System Monitoring).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely flaw remediation through application of Oracle's July 2025 Critical Patch Update patches for affected versions 12.2.3-12.2.14.

SC-7 Boundary Protection partial match

prevent

Enforces boundary protection to restrict unauthenticated network access via HTTP to the vulnerable BI Publisher Integration component, reducing remote exploitation risk.

SI-4 System Monitoring good match

detect

Enables monitoring of system and network activity to identify exploitation attempts or compromises of Oracle Concurrent Processing due to this critical unauthenticated vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation over HTTP of a public-facing Oracle E-Business Suite component, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks…

of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Deeper analysisAI

CVE-2025-61882 is a critical vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite, specifically affecting the BI Publisher Integration component. Supported versions impacted include 12.2.3 through 12.2.14. Classified under CWE-287, it carries a CVSS 3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts. The vulnerability was published on 2025-10-05.

An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Concurrent Processing, potentially resulting in a full takeover of the component. No special privileges, user interaction, or complex preconditions are required, making it highly accessible over the network.

Oracle advisories, including the security alert at https://www.oracle.com/security-alerts/alert-cve-2025-61882.html and a blog post urging application of the July 2025 Critical Patch Update at https://blogs.oracle.com/security/post/apply-july-2025-cpu, detail patches and mitigation steps for affected systems.

This vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61882), signaling real-world exploitation. CrowdStrike has documented a campaign targeting Oracle E-Business Suite via this zero-day (https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/).

Details

CWE(s): CWE-287
KEV Date Added: 06 October 2025

Affected Products

oracle

concurrent processing

12.2.3 — 12.2.14

CVEs Like This One

CVE-2025-61884Same vendor: Oracleboth on KEV

CVE-2025-61757Same vendor: Oracleboth on KEV

CVE-2024-53704Shared CWE-287both on KEV

CVE-2026-20127Shared CWE-287both on KEV

CVE-2025-49706Shared CWE-287both on KEV

CVE-2025-50105Same vendor: Oracle

CVE-2025-30743Same vendor: Oracle

CVE-2026-34287Same vendor: Oracle

CVE-2025-21535Same vendor: Oracle

CVE-2026-21962Same vendor: Oracle

References

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
Vendor Advisory · secalert_us@oracle.com
https://blogs.oracle.com/security/post/apply-july-2025-cpu
Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61882
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
Press/Media Coverage · 134c704f-9b21-4f2e-91b3-4a467353bcc0