Government Shutdown Information

Cybersecurity Alert – Oracle E-Business Suite Critical Vulnerability

IMPACT: All Firms 

FINRA member firms should be aware of a critical vulnerability that affects certain versions of Oracle E-Business Suite, a business management software platform. This Cybersecurity Alert includes a link to an Oracle Advisory that includes a detailed description of the vulnerability as well as recommendations to mitigate it. FINRA recommends member firms review this information with appropriate information technology and information security personnel to alert them to the ongoing threat.

Note: FINRA contacted firms that indicated they use Oracle products through responses to FINRA's Third-Party Vendor Questionnaire.

Summary

On Oct. 4, 2025, Oracle published an advisory regarding a critical vulnerability (CVE-2025-61882)1 in certain Oracle E-Business Suite versions 12.2.3 – 12.2.14. This vulnerability is remotely exploitable without authentication, meaning it may be exploited over a network without requiring a username or password. If successfully exploited, this vulnerability may result in remote code execution. 

On Oct. 6, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. 

Recommendations to Protect Your Firm

FINRA recommends member firms share this information with appropriate information technology and information security personnel, and follow the specific mitigation steps listed in Oracle’s advisory, which also includes details on available software updates.

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

FINRA asks member firms to report any cyber incidents to your Risk Monitoring Analyst. Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some questions may not be relevant due to certain firms’ business models, sizes, or practices.

1 “CVE” is short for Common Vulnerabilities and Exposures, a list of publicly known cybersecurity vulnerabilities.