DIVD-2025-00040 - Oracle E-Business Suite Vulnerabilities

Our reference DIVD-2025-00040
Case lead Hans Meuris
Researcher(s)
CVE(s)
Products
  • Oracle Concurrent Processing product of Oracle E-Business Suite
Versions 12.2.3 - 12.2.14
Recommendation Apply the patches released by Oracle as described in the official advisory. If patching is not possible immediately, restrict access.
Patch status Available
Workaround If patching is not immediately possible, consider disabling limiting access to trusted networks only.
Status Open
Last modified 10 Oct 2025 17:36 CEST

Summary

Oracle has released an advisory addressing a vulnerability in the Oracle Concurrent Processing of Oracle E-Business Suite. (component: BI Publisher Integration) If exploited, this vulnerability could allow attackers to bypass authentication mechanisms or execute arbitrary actions, potentially leading to unauthorized access to internal resources.

The vulnerabilities are identified as:

What you can do

What we are doing

We are scanning for Oracle E-Business Suite instances exposed to the internet that may be vulnerable to these flaws. We will notify affected parties so they can take appropriate action.

Timeline

Date Description
06 Oct 2025 Case started by DIVD researchers.
06 Oct 2025 Oracle published security advisory.
07 Oct 2025 Find vulnerable instances.
08 Oct 2025 Start notifying vulnerable instances.
gantt title DIVD-2025-00040 - Oracle E-Business Suite Vulnerabilities dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00040 - Oracle E-Business Suite Vulnerabilities (still open) :2025-10-06, 2025-11-20 section Events Case started by DIVD researchers. : milestone, 2025-10-06, 0d Oracle published security advisory. : milestone, 2025-10-06, 0d Find vulnerable instances. : milestone, 2025-10-07, 0d Start notifying vulnerable instances. : milestone, 2025-10-08, 0d

More information