DIVD-2025-00040 - Oracle E-Business Suite Vulnerabilities
| Our reference | DIVD-2025-00040 | 
| Case lead | Hans Meuris | 
| Researcher(s) | |
| CVE(s) | |
| Products | 
 | 
| Versions | 12.2.3 - 12.2.14 | 
| Recommendation | Apply the patches released by Oracle as described in the official advisory. If patching is not possible immediately, restrict access. | 
| Patch status | Available | 
| Workaround | If patching is not immediately possible, consider disabling limiting access to trusted networks only. | 
| Status | Open | 
| Last modified | 10 Oct 2025 17:36 CEST | 
Summary
Oracle has released an advisory addressing a vulnerability in the Oracle Concurrent Processing of Oracle E-Business Suite. (component: BI Publisher Integration) If exploited, this vulnerability could allow attackers to bypass authentication mechanisms or execute arbitrary actions, potentially leading to unauthorized access to internal resources.
The vulnerabilities are identified as:
- CVE-2025-61882 – Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher)
What you can do
- Update immediately: Follow Oracle’s instructions
- Mitigate risk: If patching cannot be done right away, restrict them to trusted networks only.
- Monitor your systems: Watch for unusual login attempts, session hijacking indicators, or performance degradation that may point to exploitation.
- Review logs: Inspect logs for signs of abuse or suspicious activity.
What we are doing
We are scanning for Oracle E-Business Suite instances exposed to the internet that may be vulnerable to these flaws. We will notify affected parties so they can take appropriate action.
Timeline
| Date | Description | 
|---|---|
| 06 Oct 2025 | Case started by DIVD researchers. | 
| 06 Oct 2025 | Oracle published security advisory. | 
| 07 Oct 2025 | Find vulnerable instances. | 
| 08 Oct 2025 | Start notifying vulnerable instances. | 
	gantt
	    title DIVD-2025-00040 - Oracle E-Business Suite Vulnerabilities
	    dateFormat  YYYY-MM-DD
	    axisFormat  %e %b %Y
	    section Case
	    DIVD-2025-00040 - Oracle E-Business Suite Vulnerabilities (still open)           :2025-10-06, 2025-10-17
	    section Events
		Case started by DIVD researchers. :  milestone, 2025-10-06, 0d
				Oracle published security advisory. :  milestone, 2025-10-06, 0d
				Find vulnerable instances. :  milestone, 2025-10-07, 0d
				Start notifying vulnerable instances. :  milestone, 2025-10-08, 0d