“Back-to-back zero-days in Oracle EBS highlight how threat actors are increasingly targeting high-value enterprise applications that underpin financial and operational workflows,” said Sakshi Grover, senior research manager for cybersecurity services at IDC Asia/Pacific. “These systems are deeply integrated, customized, and difficult to patch quickly, making them attractive targets for exploitation.”
Sunil Varkey, advisor at Beagle Security, argued that the security industry’s historical blind spot around ERP systems has created today’s crisis. “In the past, CISOs saw ERP systems as someone else’s problem, protected by the perimeter, too risky to touch, and too complex to understand,” Varkey said. “ERP systems are no longer isolated. They are now connected to everything: cloud services, supplier portals, e-commerce platforms, and IoT sensors and web-facing components. This has exploded their attack surface.”
The vulnerability affects the same version range as CVE-2025-61882, and organizations running internet-exposed EBS instances face particular risk. Security researchers noted that information disclosure flaws, while less severe than remote code execution vulnerabilities, can provide attackers with reconnaissance data needed to chain multiple exploits together—a technique sophisticated threat actors have demonstrated repeatedly.
