Oracle Business Process Management Suite (14.1.2.0.0) (January 2026 CPU)

🗓️ 22 Jan 2026 00:00:00Reported by TenableType

Oracle BPM Suite 14.1.2.0.0 is vulnerable to unauthenticated HTTP attacks causing denial or takeover.

Reporter	Title	Published	Views	Family All 791
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses uthentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.	9 Jul 202507:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)	3 Sep 202518:09	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2025-48976)	15 Aug 202509:21	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager for December 2025 - Multiple CVEs addressed	29 Jan 202607:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to multiple Apache Tomcat vulnerabilities (CVE-2025-48976, CVE-2025-48988)	17 Jul 202518:27	–	ibm
IBM Security Bulletins	Security Bulletin: IBM SPSS Analytic Server is affected by a Denial of Service (DoS) vulnerability in Apache Commons FileUpload.	20 Sep 202500:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Secure Proxy is vulnerable to uncontrolled recursion due to Apache Commons Lang.	10 Feb 202617:07	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in Apache Commons Lang may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2025-48924)	26 Sep 202508:04	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM DevOps Solution Workbench	30 Oct 202520:15	–	ibm
IBM Security Bulletins	Security Bulletin: Remediation of Multiple Apache Struts Vulnerabilities in IBM Library Support for Struts	9 Mar 202610:35	–	ibm

Source	Link
oracle	www.oracle.com/docs/tech/security-alerts/cpujan2026csaf.json
oracle	www.oracle.com/security-alerts/cpujan2026.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(294978);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/30");

  script_cve_id(
    "CVE-2025-48924",
    "CVE-2025-48976",
    "CVE-2025-54988",
    "CVE-2025-66516"
  );
  script_xref(name:"IAVA", value:"2026-A-0069");
  script_xref(name:"IAVA", value:"2026-A-0070-S");

  script_name(english:"Oracle Business Process Management Suite (14.1.2.0.0) (January 2026 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Oracle Business Process Management Suite installed on the remote host is affected by a vulnerability, 
as referenced in the January 2026 CPU advisory:

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware 
    (component: Composer (Apache Commons Lang)). The supported version that is affected is 14.1.2.0.0. 
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to 
    compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can 
    result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business 
    Process Management Suite. (CVE-2025-48924)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware 
    (component: Composer (Apache Commons FileUpload)). Supported versions that are affected are 12.2.1.4.0 
    and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via 
    HTTP to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can 
    result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle
     Business Process Management Suite. (CVE-2025-48976)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware 
    (component: Oracle Business Rules (Apache Commons Compress)). The supported version that is affected is 
    14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP 
    to compromise Oracle Business Process Management Suite. Successful attacks of this vulnerability can 
    result in takeover of Oracle Business Process Management Suite. (CVE-2025-54988)

  - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware 
    (component: Runtime Engine (Apache Tika)). Supported versions that are affected are 12.2.1.4.0 and 
    14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via 
    HTTP to compromise Oracle Business Process Management Suite. While the vulnerability is in Oracle 
    Business Process Management Suite, attacks may significantly impact additional products (scope change). 
    Successful attacks of this vulnerability can result in takeover of Oracle Business Process Management 
    Suite. (CVE-2025-66516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujan2026csaf.json");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2026.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January 2026 Oracle Critical Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-66516");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_process_management_suite");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("oracle_bpm_installed.nbin");
  script_require_keys("installed_sw/Oracle Business Process Manager");

  exit(0);
}

include('vcf.inc');
var app_info = vcf::get_app_info(app:'Oracle Business Process Manager');

var constraints = [
  { 'min_version':'14.1.2.0.0', 'fixed_version' : '14.1.2.0.260105' }
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE
);

30 Apr 2026 00:00Current

7High risk

Vulners AI Score7

CVSS 3.19.8

EPSS0.01579

SSVC