Critical Zero-Auth Flaw in Oracle E-Business Suite

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Critical Zero-Auth Flaw in Oracle E-Business Suite

Severity: CRITICAL (CVE-2025-61882)

CVSS 3.1 Score : 9.8

Information

Oracle E-Business Suite is a suite of integrated business applications that enable organizations to make better decisions, reduce costs, and increase performance. Products provide solutions for customer relationship management, service management, financial management, human capital management, project portfolio management, advanced procurement, supply chain management, value chain planning, and value chain execution.

Incident

Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.

The flaw is within the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration) and has a CVSS base score of 9.8, due to its lack of authentication and ease of exploitation.

The move comes after hackers claiming affiliation with the notorious Cl0p ransomware gang launched a massive extortion campaign targeting enterprise customers, demanding ransoms up to $50 million.

Organizations running affected versions should prioritize patching immediately, monitor their systems for the published IOCs, and consider temporarily restricting HTTP access to BI Publisher Integration components until patches can be deployed.

Affected Products and Versions

Oracle E-Business Suite, versions 12.2.3-12.2.14

Recommendation

Apply Oracle Patch Immediately. Notes that customers must first install the October 2023 Critical Patch Update before they can install the new security updates.
Monitor for Indicators of Compromise (IOCs)

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)

References

Weekly Interesting CVE

NO.	CVE Name	Published Date	Last Update	Device/Appplication/OS Target	Attack Type	CVSS Severity Rating	Detail	Solution	Reference
1	CVE-2025-10035	18/9/2025	27/9/2025	Fortra GoAnywhere MFT	Deserialization	10	A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.	update to the latest version	https://app.opencve.io/cve/CVE-2025-10035
2	CVE-2025-59932	27/9/2025	27/9/2025	Flag Forge	Authentication	8.6	Flag Forge is a Capture The Flag (CTF) platform. From versions 2.0.0 to before 2.3.1, the /api/resources endpoint previously allowed POST and DELETE requests without proper authentication or authorization. This could have enabled unauthorized users to create, modify, or delete resources on the platform. The issue has been fixed in FlagForge version 2.3.1.	Update to version 2.3.1	https://app.opencve.io/cve/CVE-2025-59932
3	CVE-2025-4331	6/5/2025	27/9/2025	SourceCodester Online Student	SQL Injection	7.3	A vulnerability classified as critical was found in SourceCodester Online Student Clearance System 1.0. This vulnerability affects unknown code of the file /Admin/login.php. The manipulation of the argument id/username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.	update to the latest version	https://app.opencve.io/cve/CVE-2025-4331
4	CVE-2025-53644	17/7/2025	26/9/2025	OpenCV	Arbitrary Heap Buffer Write	9.8	OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap buffer write when reading crafted JPEG images.	Update to version 4.12.0 or latest version	https://www.cvedetails.com/cve/CVE-2025-53644/
5	CVE-2025-27203	8/7/2025	24/9/2025	Adobe Connect	Arbitrary code execution	9.6	Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed.	Update to the latest version	https://www.cvedetails.com/cve/CVE-2025-27203/

Malware News or Campaign IOC/IOA | EN

No	Campaign Name	Detection Date	Attack Type	Description	Mitigation/Remediation
1	Fake Microsoft Teams installers	27/09/2025	Backdoor / C2	Hackers are using malicious ads (malvertising) and fake SEO tactics to trick people searching for “download Microsoft Teams” into clicking on a bogus website named teams-install[.]top. When users accidentally download the installer from this site, they download a file named MSTeamsSetup.exe. While it’s signed with a legitimate digital certificate, it’s actually infected with a malware called Oyster (also known as Broomstick / CleanUpLoader). The malware injects a CaptureService.dll file into the %APPDATA%Roaming folder and creates a Scheduled Task that runs every 11 minutes, allowing the malware to continue running even after a machine is rebooted. Oyster acts as a backdoor, allowing hackers to take control of the machine, steal data, or download other payloads. The primary target is enterprise users, particularly those with high privileges in their IT systems, as being infected could open up a network for hackers. Experts caution against downloading programs only from official Microsoft websites and avoiding clicking download links from advertisements or untrusted search results to avoid falling victim to this campaign.	Download software only from official sources, such as the Microsoft website or the Microsoft Store. Avoid clicking on links from advertisements and verify the URL. Enable antivirus/EDR protection and regularly update your operating system and software. Train your organization's users.

Campaign Name

Detection Date

Attack

Type

Description

Mitigation/Remediation

Fake Microsoft Teams installers

27/09/2025

Backdoor / C2

Hackers are using malicious ads (malvertising) and fake SEO tactics to trick people searching for “download Microsoft Teams” into clicking on a bogus website named teams-install[.]top. When users accidentally download the installer from this site, they download a file named MSTeamsSetup.exe. While it’s signed with a legitimate digital certificate, it’s actually infected with a malware called Oyster (also known as Broomstick / CleanUpLoader). The malware injects a CaptureService.dll file into the %APPDATA%Roaming folder and creates a Scheduled Task that runs every 11 minutes, allowing the malware to continue running even after a machine is rebooted. Oyster acts as a backdoor, allowing hackers to take control of the machine, steal data, or download other payloads. The primary target is enterprise users, particularly those with high privileges in their IT systems, as being infected could open up a network for hackers. Experts caution against downloading programs only from official Microsoft websites and avoiding clicking download links from advertisements or untrusted search results to avoid falling victim to this campaign.

Download software only from official sources, such as the Microsoft website or the Microsoft Store.
Avoid clicking on links from advertisements and verify the URL.
Enable antivirus/EDR protection and regularly update your operating system and software.
Train your organization's users.

Ref: Fake Microsoft Teams installers push Oyster malware via malvertising

07 October 2025

Viewed 214 time

Critical Zero-Auth Flaw in Oracle E-Business Suite

Critical Zero-Auth Flaw in Oracle E-Business Suite

INET MANAGED SERVICES CO., LTD.

Sales Department