Health care organizations using Oracle E-Business Suite (EBS) are urged to take immediate action following a newly published Oracle Security Alert addressing a critical vulnerability — CVE-2025-61882.
This flaw is remotely exploitable without authentication, meaning attackers could exploit it over a network without a username or password. If successfully exploited, the vulnerability could allow remote code execution, potentially giving attackers full control of affected systems.
Oracle strongly advises customers to apply the security update immediately.
“This is a ‘stop-what-you’re-doing and patch immediately’ vulnerability,” said Brett Leatherman, FBI Assistant Director of the Cyber Division. “The bad guys are likely already exploiting in the wild, and the race is on before others identify and target vulnerable systems.”
Recommended Actions
Health care leaders should ensure their IT and cybersecurity teams are aware of this advisory and take the following steps without delay:
- Apply Oracle’s patch — available in the latest Security Alert. (Note: the October 2023 Critical Patch Update must be applied first as a prerequisite.)
- Isolate or firewall EBS servers to prevent BI Publisher or Concurrent Processing components from being exposed to the network.
- Review Oracle’s indicators of compromise and actively hunt for any signs of intrusion.
- Monitor threat intelligence feeds closely, as exploit activity may escalate quickly.
- Contact your local FBI field office if you suspect your organization has been compromised.
Need Assistance?
For further questions, contact:
- John Riggi, AHA National Advisor for Cybersecurity and Risk – jriggi@aha.org
- Scott Gee, AHA Deputy Director for Cybersecurity and Risk – sgee@aha.org
Related: Becker’s Health IT: Hospitals scramble to fix major Oracle vulnerability
