Updated:
Status:
CVEs:
Fortra is actively researching a remote, unauthenticated vulnerability (CVE-2025-61882) in the BI Publisher Integration component of the Oracle Concurrent Process feature within Oracle E-Business Suite. Successful exploitation could allow an attacker to take over the Oracle Concurrent Process feature.
Who is affected?
According to the vendor, the following Oracle E-Business Suite versions are affected by this vulnerability:
- 12.1.3 through 12.2.14.
What can I do?
Oracle has released patches for this vulnerability. Apply these patches as soon as possible to mitigate the vulnerability.
- For patching instructions and additional guidance, refer to Oracle Knowledge Base article Doc ID 3106344.1.
- Oracle Security Alert Vendor advisory
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
Core Impact: A Core Impact module targets Oracle E‑Business Suite by exploiting a Server‑Side Request Forgery (SSRF) vulnerability in the UiServlet component through the getUiType parameter in the /OA_HTML/configurator/UiServlet.
The attack proceeds in three stages:
- The module sets up a local webserver endpoint to send a XSL file to the target. This file executes system commands to deploy the Core Impact agent.
- It retrieves the necessary CSRF token via the /OA_HTML/runforms.jsp and /OA_HTML/JavaScriptServlet endpoints.
- Utilizing the SSRF vulnerability combined with a Carriage Return/Line Feed (CRLF) injection, the module smuggles a request to the /OA_HTML/help/../ieshostedsurvey.jsp endpoint. This triggers an HTTP GET request to the local webserver endpoint, which then delivers the XSL file that will be responsible for agent deployment. The agent is deployed with the privileges of the Oracle user.
- Fortra VM: VM version 4.76.1 adds support for mappings related to unauthenticated network scans.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
- 11/04/2025: Introduced new mappings for unauthenticated network scans, available in VM version 4.76.1.
