Critical Vulnerability In Oracle E-Business Suite’s Marketing Product Allows Full Access To Attackers

Oracle has disclosed two critical vulnerabilities in its E-Business Suite’s Marketing product that could hand full control to remote attackers.

Dubbed CVE-2025-53072 and CVE-2025-62481, these flaws affect the Marketing Administration component and carry a perfect storm CVSS score of 9.8, marking them as among the most severe threats disclosed this year.

Organizations relying on Oracle’s suite for customer relationship management and marketing automation now face urgent patching needs to avert potential data breaches and system takeovers.

The vulnerabilities stem from weaknesses in how the Marketing Administration handles HTTP requests. An unauthenticated attacker needs only network access, no special privileges, or user interaction to exploit them.

Once triggered, the flaws enable full compromise of the Oracle Marketing module, granting attackers high-level access to confidentiality, integrity, and availability.

This could mean stealing sensitive customer data, altering marketing campaigns, or disrupting operations entirely.

In today’s threat landscape, where ransomware groups and nation-state actors hunt for easy entry points, such exposures in widely used ERP systems like Oracle E-Business Suite amplify the danger.

Details Of The Flaws

Both CVEs target versions 12.2.3 through 12.2.14 of Oracle Marketing, with no mitigations in place beyond applying the latest security patches.

Oracle’s advisory highlights that the issues remain unchanged from initial assessments, underscoring their straightforward exploitability.

The CVSS 3.1 vector for each (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) breaks down to network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and high impacts across all categories.

CVE ID	Component	Attack Vector	Requires Auth?	CVSS 3.1 Score	Attack Complexity	Privileges Required	User Interaction	Scope	Confidentiality Impact	Integrity Impact	Availability Impact	Affected Versions
CVE-2025-53072	Marketing Administration	HTTP (Network)	No	9.8	Low	None	None	Unchanged	High	High	High	12.2.3-12.2.14
CVE-2025-62481	Marketing Administration	HTTP (Network)	No	9.8	Low	None	None	Unchanged	High	High	High	12.2.3-12.2.14

These entries reveal a pattern: identical scoring and vectors suggest related coding errors, possibly in input validation or session handling, though Oracle has not released specifics to avoid aiding attackers.

Mitigations

The disclosure arrives amid a surge in supply chain attacks targeting enterprise tools, echoing recent breaches at companies like Cisco and Microsoft.

For businesses in retail, finance, or e-commerce where Oracle E-Business Suite powers core marketing functions, these vulnerabilities could expose terabytes of customer profiles to theft or manipulation, leading to regulatory fines under GDPR or CCPA.

Oracle urges immediate patching via its Critical Patch Update for October 2025, available on My Oracle Support.

In the interim, experts recommend network segmentation, web application firewalls tuned for HTTP anomalies, and monitoring for unusual Marketing Administration traffic.

Cybersecurity firms like Mandiant warn that exploit code may surface soon on dark web forums, given the high incentive.

As enterprises scramble, this incident highlights the need for proactive vulnerability management in legacy systems. With no evidence of active exploitation yet, the window for defense remains open but it’s narrowing fast.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Vulnerability In Oracle E-Business Suite’s Marketing Product Allows Full Access To Attackers appeared first on Cyber Security News.