Bypassing Patches for "CVE-2022-21500" on Oracle EBS (IDORing Oracle) (CVE-2025-30707, CVE-2025-30708)
Hello Readers, (Sorry for lengthy article) In 2022, researcher Orwa Atyat discovered a critical vulnerability ( CVE-2022-21500 ) in Oracle E-Business Suite, allowing attackers to register accounts, access the “Manage Proxy” page, and retrieve sensitive user data. Additionally, the Diagnostic Console could be abused to run SQL queries and extract passwords. To address this, Oracle released patches and organizations implemented workarounds such as: Identity Gateways – Redirecting login attempts through solutions like Oracle IDCS or ForgeRock. Disabling Registration – Removing self-registration links or URLs (ibeCAcpSSOReg.jsp) to prevent account creation. Hiding Settings – Removing access to the “Manage Proxy” option from the UI. Blocking Access – Disabling the “Manage Proxy” page entirely. Despite these measures, I successfully bypassed all four controls. Oracle acknowledged two of my findings ( Here ) and assigned the following new CVEs: CVE-2025-30707 – Oracle iStore (12.2.3–12.2...