What the NCSC Oracle E-Business Suite advisory means for UK organisations

The background

The UK's National Cyber Security Centre (NCSC) has issued advisories relating to active exploitation of vulnerabilities in Oracle E-Business Suite (EBS). These advisories reflect a broader pattern of threat actors targeting on-premise Oracle systems — many of which have not been patched against known critical vulnerabilities.

Oracle regularly issues security patches through its Critical Patch Update (CPU) programme, typically released quarterly. However, many UK organisations running EBS have fallen significantly behind — sometimes by multiple years — leaving known, publicly documented vulnerabilities unpatched and exploitable.

What kinds of vulnerabilities are being exploited?

The vulnerabilities in scope include flaws in Oracle E-Business Suite web-facing components — including Oracle Application Framework (OAF), Oracle Forms, and certain EBS REST and SOAP endpoints. Some of these vulnerabilities allow unauthenticated remote access; others allow privilege escalation once an attacker has a foothold.

The severity of these vulnerabilities is significant. Several are rated at CVSS scores above 9.0 — the highest level. Oracle rates them as critical.

Am I at risk?

You are at elevated risk if one or more of the following applies to your organisation:

• Your E-Business Suite environment is accessible over the internet — even for specific functions like self-service or supplier portals
• You have not applied Oracle Critical Patch Updates released in 2023 or 2024
• You are running EBS 12.1.x, which has had reduced patch availability since the end of Premier Support
• You do not have a formal process for assessing and applying Oracle security patches

What should I do?

The immediate priorities are:

1. Assess your current patch level. Identify which Oracle CPU patches have been applied to your E-Business Suite environment and which have not. This requires access to your E-Business Suite patch history and Oracle support.
2. Restrict external access. If any EBS components are internet-accessible, review whether that access is necessary and apply network-level controls where it is not.
3. Apply critical patches. Prioritise patching against the CPU releases that address the critical vulnerabilities identified in the NCSC advisories.
4. Review access controls. Audit privileged EBS user accounts, particularly system administrator and SYSADMIN-equivalent access.

How can APPSolve help?

APPSolve Group provides a structured Oracle E-Business Suite Security Remediation service specifically designed for UK organisations that need to address these vulnerabilities quickly. The service includes a gap analysis against current Oracle CPU releases, prioritised remediation planning, patch application, and a written sign-off document suitable for your internal audit and information security teams.

Most security remediation engagements complete within two to four weeks. We can typically mobilise within five business days of engagement confirmation.