CVE-2025-61882

Warnung

Exploit

EPSS 45.63%
Veröffentlicht 05.10.2025 03:17:01
Zuletzt bearbeitet 07.10.2025 13:40:48
Quelle secalert_us@oracle.com
Teams Watchlist Login
Unerledigt Login

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration).  Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing.  Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Betroffene Produkte Warnungen 2 Metriken 2 CWE 4 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Oracle ≫ Concurrent Processing Version >= 12.2.3 <= 12.2.14

07.10.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Oracle E-Business Suite Unspecified Vulnerability

Schwachstelle

Oracle E-Business Suite contains an unspecified vulnerability in the BI Publisher Integration component. The vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks can result in takeover of Oracle Concurrent Processing.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

06.10.2025: CERT.at Warnung

https://www.cert.at/de/warnungen/2025/10/schwerwiegende-sicherheitslucke-in-oracle-e-business-suite-aktiv-ausgenutzt-updates-verfugbar

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	45.63%	0.975

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert_us@oracle.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Vendor Advisory

https://blogs.oracle.com/security/post/apply-july-2025-cpu

Vendor Advisory

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-61882

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-61882

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-61882

EUVD