Another remotely exploitable Oracle EBS vulnerability requires your attention (CVE-2025-61884)

Oracle has revealed the existence of yet another remotely exploitable Oracle E-Business Suite vulnerability (CVE-2025-61884).

About CVE-2025-61884

CVE-2025-61884 is a vulnerability in the Runtime user interface in the Oracle Configurator product of Oracle E-Business Suite (EBS).

Like CVE-2025-61882 before it, it officially affects the ESB versions 12.2.3 through 12.2.14.

According to the NIST national vulnerability database entry for CVE-2025-61884, this is an “easily exploitable vulnerability [that] allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”

Oracle Security’s CIS Rob Duhart says that the vulnerability “may allow access to sensitive resources” and “affects some deployments of Oracle E-Business Suite.”

The company “strongly recommends” that customers apply the updates or mitigations provided.

But, as an Oracle customer already noted, at least one earlier version (12.1.3) has been confirmed to be also vulnerable, and other changes to the patch availability document might be made in the coming days.

Oracle does not say whether CVE-2025-61884 is under active attack or has been exploited as a zero-day, possibly by the same attackers who stole data of Oracle EBS customers via CVE-2025-61882 and are now extorting them.

With exploit scripts for CVE-2025-61882 having been leaked, security researchers expect further attacks.

We’ve reached out to Oracle for more information on CVE-2025-61884, and we’ll update this article if we hear back from them.

UPDATE (October 15, 2025, 07:30 a.m. ET):

Oracle has declined to answer our questions and pointed us towards the advisory.

But with CVE-2025-61884’s description noting the flaw is in the Oracle Configurator product of Oracle EBS and watchTowr’s analysis of a leaked exploit showing that it targets the /OA_HTML/configurator/UiServlet endpoint, it looks like CVE-2025-61884 – and not the previously exploited and then patched CVE-2025-61882 – might be leveraged by that particular exploit.

UPDATE (October 16, 2025, 01:00 p.m. ET):

“Mandiant and GTIG have observed evidence that both the ‘UiServlet’ and ‘SyncServlet’-related exploit chains have been exploited in the wild as a zero day,” Zander Work, Senior Security Engineer at Google Threat Intelligence Group, told Help Net Security.

“At this time, we are not able to attribute any specific exploitation activity to a specific actor, but it’s likely that at least some of the exploitation activity we observed was conducted by actors now conducting Cl0p-branded extortion operations.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!