CVE-2025-61882
Analyzed
Published: 05 Oct 2025, 04:15
Last modified:07 Oct 2025, 21:00
Vulnerability Summary
Overall Risk
Critical Risk
84/100 CVSS Score
9.8 CRITICAL
v3.1
EPSS Score
76.09% CRITICAL
99%ile 0.00%
CISA KEV
Active
Ransomware
Known Use
Exploits
None found
Dark Web
Not detected
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Source Identifier: secalert_us@oracle.com
| CVSS | Source | Severity | Exploitability | Impact | Vector |
|---|---|---|---|---|---|
| v4.0 | n/a | ||||
| v3.1 | secalert_us@oracle.com | 9.8 CRITICAL | 3.9 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H... |
| v3.0 | n/a | ||||
| v2.0 | n/a | ||||
76.09%
Current Score
0.00%
99%ile
Percentile Rank
0.00%
Loading chart...
Loading chart...
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22
Description:The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Vulnerability Name:Oracle E-Business Suite Unspecified Vulnerability
Added to CISA Catalog:06 Oct 2025, 00:00
Action Due:27 Oct 2025, 00:00
Known Ransomware: Ransomware
Required Action:Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
No dark web activity detected for this vulnerability.
No known public exploit code indexed (as of 07 Oct 2025, 21:00).
Exploitation status can change quickly once PoC code appears.
Affected Configurations (CPE)
oracle concurrent_processingVulnerable
Version: *
cpe:2.3:a:oracle:concurrent_processing:*:*:*:*:*:*:*:*
| URL | Tags | Source |
|---|---|---|
| https://blogs.oracle.com/security/post/apply-july-2025-cpu | vendor advisory | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/ | exploitthird party advisory | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
| https://www.oracle.com/security-alerts/alert-cve-2025-61882.html | vendor advisory | secalert_us@oracle.com |