CVE-2025-61884: Oracle Issues Urgent Security Alert for New E-Business Suite Vulnerability

[Update] CVE-2025-61884 Added to CISA KEV & Ongoing Clop Activity

Over the weekend, Oracle dropped an important security update addressing a newly discovered flaw in its widely used E-Business Suite (EBS). The issue, tracked as CVE-2025-61884, has already caught the attention of security experts because of how easily it could be exploited, even without credentials.

Organizations running affected versions may find themselves at serious risk if patches aren’t applied swiftly.

What Is CVE-2025-61884?

CVE-2025-61884(CVSS 7.5) is a high-severity vulnerability affecting the Runtime UI component of Oracle Configurator, part of the Oracle E-Business Suite.

According to Oracle’s official advisory, this flaw allows remote, unauthenticated attackers to exploit EBS systems over HTTP, potentially granting unauthorized access to sensitive business data.

In practical terms, an attacker does not need a username or password to exploit it. Once successful, the attack could expose critical configuration data or other information processed by Oracle Configurator. Affected versions range from 12.2.3 through 12.2.14, all of which are still under Oracle’s active support.

How Severe Is the Risk?

This vulnerability stands out not only for its ease of exploitation but also for the data exposure potential. The issue could enable attackers to bypass authentication controls and access confidential enterprise resources, from customer details to system configurations.

While Oracle hasn’t confirmed any exploitation in the wild, experts warn that given recent activity surrounding similar flaws, it is wise to assume that attackers may attempt to chain or reuse methods against unpatched EBS systems.

Which Oracle EBS Deployments Are Impacted by CVE-2025-61884?

Oracle states that only actively supported versions (12.2.3–12.2.14) are patched through this alert. However, community reports suggest earlier versions such as 12.1.3 may also be vulnerable.

The vulnerability resides specifically in the Runtime User Interface of the Oracle Configurator module, a key feature used in many enterprise environments for customized order management and configuration processes.

Is CVE-2025-61884 Connected to Previous Oracle EBS Attacks?

Security researchers point out that this alert comes just weeks after the disclosure of CVE-2025-61882, another EBS flaw linked to data theft campaigns associated with the Clop ransomware group. Those earlier attacks leveraged multiple payload chains and leaked exploit code online, increasing the likelihood that related vulnerabilities like CVE-2025-61884 will soon be targeted.

While Oracle hasn’t confirmed a direct link, the close timing raises concerns that adversaries are actively scrutinizing EBS components for additional weak points.

CVE-2025-61884 Added to CISA KEV & Ongoing Clop Activity

CISA has officially confirmed that CVE-2025-61884 in Oracle E-Business Suite is being actively exploited, adding it to the Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply patches by November 10, 2025.

Initially disclosed by Oracle on October 11, the vulnerability affects the Configurator runtime component and was linked to a leaked exploit used in July attacks. Investigations confirm that the exploit chain specifically targeted the UiServlet SSRF endpoint, now identified as CVE-2025-61884.

Meanwhile, the Clop ransomware group continues its extortion attempts, publishing alleged victim names linked to Oracle EBS exploitation. Recent posts, shared throughout late October, include organizations from finance, manufacturing, and professional services sectors.

What Should Organizations Do Now?

Oracle strongly recommends immediate patching or applying mitigations provided in its Security Alert. Customers should ensure they are on supported EBS versions and verify that updates are applied across all instances, including backup and test environments.

For organizations unable to patch immediately:

• Limit HTTP access to Oracle EBS from untrusted networks.
• Monitor for unusual activity involving the Oracle Configurator component.
• Review system logs for potential unauthorized data access attempts.

Cybersecurity teams should also keep watch for evolving exploits, given that attackers have targeted similar Oracle EBS vulnerabilities in recent months.

Uncover Vulnerability Threats with SOCRadar XTI

To stay proactive against vulnerabilities, exposures, and exploit developments, organizations can leverage SOCRadar’s Cyber Threat Intelligence (CTI) and Dark Web Monitoring modules.

With SOCRadar, you can:

• Monitor vulnerability disclosures, exploit kits, and chatter across dark web sources in real time.
• Correlate CVEs with known threat actor activities and campaigns.
• Prioritize patching using contextual risk scores and exploitability insights.
• Detect leaked credentials or sensitive information related to your assets.
• Receive actionable intelligence alerts directly integrated with your existing SIEM or SOAR systems.

By combining visibility from CTI and Dark Web Monitoring, organizations can strengthen their defense posture and respond faster to newly emerging threats.