CVE-2025-61882

CVE

Critical KEVConfirmedExploit available

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versi…

CVSS

9.8

Critical

EPSS

1.00

p99

Published

2025-01-01

Updated

2025-10-06

Description

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Tags · CWE

KEVPre-auth

CWE-287

CAPEC-22

CAPEC-57

CAPEC-94

CAPEC-114

CAPEC-115

CAPEC-151

CAPEC-194

CAPEC-593

CAPEC-633

CAPEC-650

Affected products

Concurrent_processing 12.2.3–12.2.14

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

2025-01-01

Published

2025-10-06

Added to KEV

2025-10-06

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: H

High (H)

Integrity Impact

I: H

High (H)

Availability Impact

A: H

High (H)

Exploit indicators

EPSS

0.997 · p99

Known exploited (KEV)

Yes

MITRE ATT&CK

Inferred via CAPEC

T1040Network Sniffing

└ via CAPEC-57 · CWE-287

T1134Access Token Manipulation

└ via CAPEC-633 · CWE-287

T1185Browser Session Hijacking

└ via CAPEC-593 · CWE-287

T1505.003Web Shell

└ via CAPEC-650 · CWE-287

T1548Abuse Elevation Control Mechanism

└ via CAPEC-114 · CWE-287

T1550.001Application Access Token

└ via CAPEC-593 · CWE-287

T1557Adversary-in-the-Middle

└ via CAPEC-94 · CWE-287

T1563Remote Service Session Hijacking

└ via CAPEC-593 · CWE-287

Known exploits — Сканер-ВС

CVE-2025-61882

cisa · https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Enterprise

Affected products

Oracle

Concurrent Processing

Product	Vendor	Status
concurrent_processing	*	Exploited

Source databases

CVE

Related vulnerabilities

BDU:2025-12468

External references

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html@https://blogs.oracle.com/security/post/apply-july-2025-cpu@https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61882@https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/