Oracle has disclosed two critical vulnerabilities in its E-Business Suite’s Marketing product that could hand full control to remote attackers.
Dubbed CVE-2025-53072 and CVE-2025-62481, these flaws affect the Marketing Administration component and carry a perfect storm CVSS score of 9.8, marking them as among the most severe threats disclosed this year.
Organizations relying on Oracle’s suite for customer relationship management and marketing automation now face urgent patching needs to avert potential data breaches and full system takeovers.
These vulnerabilities stem from weaknesses in how the Marketing Administration component processes HTTP requests.
An unauthenticated attacker needs only network access; no special privileges or user interaction are required to exploit them.
Once triggered, the flaws enable full compromise of the Oracle Marketing module, granting attackers high-level access to confidentiality, integrity, and availability.
This could lead to theft of sensitive customer data, unauthorized alteration of marketing campaigns, or even complete disruption of operations.
Both CVEs target Oracle Marketing versions 12.2.3 through 12.2.14, and no workarounds exist beyond applying the latest security patches.
Oracle’s advisory notes that the issues remain unchanged from initial assessments, underscoring their straightforward exploitability.
Each flaw uses a network attack vector with low complexity, requires no privileges or user interaction, and delivers high impact on confidentiality, integrity, and availability.
The identical scoring and vector metrics suggest a common coding error, possibly in input validation or session handling, though Oracle has withheld specifics to avoid aiding potential attackers.
| CVE ID | Component | Attack Vector | Requires Auth? | CVSS 3.1 Score | Attack Complexity | Privileges Required | User Interaction | Scope | Confidentiality Impact | Integrity Impact | Availability Impact | Affected Versions |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-53072 | Marketing Administration | HTTP(Network) | No | 9.8 | Low | None | None | Unchanged | High | High | High | 12.2.3–12.2.14 |
| CVE-2025-62481 | Marketing Administration | HTTP(Network) | No | 9.8 | Low | None | None | Unchanged | High | High | High | 12.2.3–12.2.14 |
The disclosure arrives amid a surge of supply chain attacks targeting enterprise tools, echoing recent breaches at companies like Cisco and Microsoft.
businesses in retail, finance, or e-commerce where Oracle E-Business Suite powers core marketing functions, these vulnerabilities could expose terabytes of customer profiles to theft or manipulation, potentially leading to regulatory fines under GDPR or CCPA.
Oracle urges immediate patching via its Critical Patch Update for October 2025, available on My Oracle Support.
In the interim, experts recommend implementing network segmentation to isolate the Marketing Administration component from public-facing networks.
Deploying web application firewalls tuned to detect HTTP anomalies can help block exploitation attempts, and continuous monitoring of Marketing Administration traffic for unusual patterns is crucial.
Security firms such as Mandiant warn that proof-of-concept exploit code may appear soon on dark web forums, given the high incentive for attackers.
As enterprises scramble to patch, this incident highlights the importance of proactive vulnerability management in legacy ERP systems.
With no evidence of active exploitation to date, the window for defense remains open, but it is narrowing fast.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
