Another remotely exploitable Oracle EBS vulnerability requires your attention (CVE-2025-61884)

Oracle has revealed the existence of yet another remotely exploitable Oracle E-Business Suite vulnerability (CVE-2025-61884).

About CVE-2025-61884

CVE-2025-61884 is a vulnerability in the Runtime user interface in the Oracle Configurator product of Oracle E-Business Suite (EBS).

Like CVE-2025-61882 before it, it officially affects the ESB versions 12.2.3 through 12.2.14.

According to the NIST national vulnerability database entry for CVE-2025-61884, this is an “easily exploitable vulnerability [that] allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”

Oracle Security’s CIS Rob Duhart says that the vulnerability “may allow access to sensitive resources” and “affects some deployments of Oracle E-Business Suite.”

The company “strongly recommends” that customers apply the updates or mitigations provided.

But, as an Oracle customer already noted, at least one earlier version (12.1.3) has been confirmed to be also vulnerable, and other changes to the patch availability document might be made in the coming days.

Oracle does not say whether CVE-2025-61884 is under active attack or has been exploited as a zero-day, possibly by the same attackers who stole data of Oracle EBS customers via CVE-2025-61882 and are now extorting them.

With exploit scripts for CVE-2025-61882 having been leaked, security researchers expect further attacks.

We’ve reached out to Oracle for more information on CVE-2025-61884, and we’ll update this article if we hear back from them.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!