The UK’s National Cyber Security Centre has issued an urgent alert to organisations following reports of active exploitation of a severe vulnerability affecting Oracle E-Business Suite.
The flaw is rated critical and allows unauthenticated remote code execution, meaning attackers can take full control of vulnerable systems without requiring any user interaction. Oracle confirmed the issue resides in the BI Publisher Integration component of the Concurrent Processing module within EBS.
Oracle has released a security patch to address the vulnerability, which affects EBS versions 12.2.3 to 12.2.14. Attackers are reportedly targeting unpatched systems by sending specially crafted HTTP requests to the vulnerable component, potentially leading to a full system compromise.
The NCSC has urged organisations to take immediate action, warning that systems exposed to the public internet are particularly at risk. The agency continues to monitor for evidence of compromise within UK networks.
Any organisation running Oracle E-Business Suite within the affected versions may be vulnerable.
