“The back-to-back zero-days at Oracle EBS highlight how threat actors are increasingly targeting high-value enterprise applications that underpin financial and operational workflows,” said Sakshi Grover, senior research manager of cybersecurity services at IDC Asia/Pacific. “These systems are deeply integrated, customized, and difficult to patch quickly, making them attractive targets for exploitation.”
Sunil Varkey, a consultant at Beagle Security, argued that the security industry’s historical blind spot around ERP systems has created today’s crisis. “In the past, CISOs viewed ERP systems as someone else’s problem, protected by the perimeter, too risky to touch and too complex to understand,” Varkey said. “ERP systems are no longer isolated. They are now connected to everything: cloud services, supplier portals, e-commerce platforms, and IoT sensors and web-facing components. This has exploded their attack surface.”
The vulnerability affects the same variant category as CVE-2025-61882, and organizations running Internet-exposed EBS instances face particular risk. Security researchers noted that information disclosure flaws, although less serious than remote code execution vulnerabilities, could provide attackers with the reconnaissance data needed to chain together multiple exploits – a technique that sophisticated threat actors have repeatedly demonstrated.
