Number: AL25-013
Date: October 7, 2025
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
On October 4, 2025, Oracle released a security alert advisory for Oracle E-Business Suite addressing a critical vulnerability that allows attackers to perform an unauthenticated remote code execution (CVE-2025-61882) affecting the following productFootnote 1:
- Oracle E-Business Suite – versions 12.2.3 to 12.2.14
The vulnerability is within the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration) and has been assigned a CVSS severity rating of 9.8 out of 10Footnote 2.
In response to this vulnerability, the Cyber Centre released AV25-640 on October 6, 2025Footnote 3. CISA has added CVE-2025-61882 to their Known Exploited Vulnerabilities (KEV) catalogFootnote 4 on October 6, 2025.
Suggested actions
The Cyber Centre strongly recommends that organizations patch the affected Oracle instances to the vendor recommended versionsFootnote 1.
You should also review and implement our Top 10 IT Security ActionsFootnote 5 with an emphasis on the following topics:
- Patching operating systems and applications.
- Isolating Web-facing applications.
Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.
References
Information provided by organizations not subject to the Official Languages Act is in the language(s) provided.