Full Report
Discover the top 32 high-risk CVEs identified in October 2025 by Recorded Future’s Insikt Group, including active zero-day exploits, legacy system threats, and CL0P ransomware campaigns targeting Oracle EBS.
Analysis Summary
As a vulnerability research specialist, here is the summary focusing on the high-risk CVEs identified in October 2025, with a deep dive into the actively exploited Oracle flaw as detailed in the context.
---
# Vulnerability: Oracle EBS Unauthenticated RCE via BI Publisher Chaining Flaw
## CVE Details
- CVE ID: CVE-2025-61882
- CVSS Score: *Not explicitly provided for this specific CVE, but identified as "critical zero-day" and exploited.* (Likely near 9.8 or 10.0 for pre-auth RCE)
- CWE: Chain of flaws resulting in RCE (SSRF, CRLF Injection, HTTP Connection Abuse)
## Affected Systems
- Products: Oracle E-Business Suite (EBS)
- Versions: 12.2.3 up to 12.2.14 (Specifically affecting the Oracle Concurrent Processing component with BI Publisher Integration)
- Configurations: Systems utilizing the Oracle Concurrent Processing/BI Publisher integration component.
## Vulnerability Description
CVE-2025-61882 is a critical, pre-authentication Remote Code Execution (RCE) vulnerability. Exploitation requires chaining multiple flaws within the BI Publisher Integration component, specifically targeting the vulnerable `/OA_HTML/configurator/UiServlet` endpoint. The chain involves: 1) Server-Side Request Forgery (SSRF) via a crafted XML payload; 2) Carriage Return/Line Feed (CRLF) header injection within the SSRF stream to control outgoing headers; and 3) Exploitation of HTTP persistent connections ("keep-alive") to chain the malicious requests. Successfully chaining these actions allows an unauthenticated remote actor to execute arbitrary code, deploy web shells, establish persistence, and exfiltrate data.
## Exploitation
- Status: Exploited in the wild (Actively exploited by the CL0P ransomware group)
- Complexity: Likely Low/Medium (Given it allows unauthenticated RCE, although chaining multiple steps suggests some complexity)
- Attack Vector: Network
## Impact
- Confidentiality: High (Enables data exfiltration)
- Integrity: High (Enables arbitrary code execution and web shell deployment)
- Availability: High (Can lead to full system compromise/disruption)
## Remediation
### Patches
- **Patch Availability:** Oracle released an **emergency patch** on October 4, 2025, as part of its Critical Patch Update.
- **Identification:** Customers should apply the specific emergency patch released for CVE-2025-61882.
### Workarounds
- CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, strongly implying that immediate patching is necessary. Compensating controls should be applied if patching is delayed, though none are explicitly detailed in the context for this specific RCE chain.
## Detection
- **Indicators of Compromise (IOCs):** Look for evidence of the multi-stage Java-based infection chain: `GOLDVEIN.JAVA`, `SAGEGIFT`, `SAGELEAF`, and `SAGEWAVE`.
- **Detection Methods and Tools:** Monitor network traffic for unusual requests directed at the `/OA_HTML/configurator/UiServlet` endpoint containing suspicious XML payloads. Insikt Group® may provide specific Nuclei templates for customers to test for this vulnerability.
## References
- Vendor Advisory: Oracle Security Alert (October 4, 2025, based on date provided): `oracle.com/security-alerts/alert-cve-2025-61882.html` (Defanged)
- CISA KEV: Added 2025-10-06
---
## Summary of Other High-Risk Findings (October 2025)
The report highlighted **32 high-risk CVEs** in total, an increase from September.
### Key Observations & Trends:
* **Volume:** 32 high-impact vulnerabilities identified, with 26 rated Very Critical.
* **Vendor Dominance:** Microsoft products accounted for 8 of the 32 vulnerabilities.
* **Legacy Risk:** Five of the fourteen RCE vulnerabilities identified were over a decade old, stressing the risk associated with unretired legacy systems.
* **Common Flaw Types (CWEs):**
1. CWE-287 (Improper Authentication) - Most common.
2. CWE-787 (Out-of-bounds Write).
3. CWE-22 (Path Traversal).
### Other RCE Examples (Affected Products Mentioned):
Fourteen CVEs allowed for Remote Code Execution (RCE). Some examples mentioned include:
* CVE-2025-24893, CVE-2025-6204, CVE-2025-59287, CVE-2025-61932, CVE-2025-54253, CVE-2025-21043.
* Affected vendors for RCEs included: XWiki, Dassault Systèmes, Microsoft, Motex, Apple, Adobe, SKYSEA, Mozilla, GNU, Jenkins, and Samsung.
### Mitigation Strategy Summary:
Defenders must prioritize patching based on **observed exploitation activity** (like CVE-2025-61882) rather than solely on CVSS severity scores. Continuous asset discovery, especially for legacy systems, and applying compensating controls where immediate remediation is impossible, are critical. Tools like Recorded Future’s Attack Surface Intelligence can help discover vulnerable, internet-facing assets.