CVE-2025-61884
published 2025-10-12CVE-2025-61884: Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14…
PriorityP197high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-11-10
Exploited in the wild
EPSS
97.58%
99.9th percentile
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | configurator | 12.2.3 – 12.2.14 | — |
| oracle_corporation | oracle_configurator | 12.2.3 – 12.2.14 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-61884 is an unauthenticated pre-authentication Server-Side Request Forgery (SSRF) vulnerability in the Oracle Configurator Runtime UI component (UiServlet). Monitor HTTP requests to /configurator/UiServlet for unauthenticated access attempts, especially those supplying a manipulated 'return_url' parameter. ↗
- →The patch for CVE-2025-61884 validates the attacker-supplied 'return_url' parameter via regex. Detect exploitation attempts by alerting on requests to /configurator/UiServlet containing unexpected or external URLs in the 'return_url' parameter. ↗
- →watchTowr Labs confirmed the ShinyHunters leaked PoC targets the UiServlet SSRF attack chain specifically, not the SyncServlet chain. Prioritize detection on /configurator/UiServlet over /OA_HTML/SyncServlet for CVE-2025-61884. ↗
- →Exploitation of CVE-2025-61884 was observed as early as July 2025. Threat actors include ShinyHunters / Scattered Lapsus$ Hunters who leaked a public PoC on Telegram. Treat any unpatched Oracle EBS 12.2.3–12.2.14 instance as actively targeted. ↗
- →Check Point IPS, Threat Emulation and Harmony Endpoint provide signature-based coverage for this CVE. Reference signature: 'Oracle Multiple Products Remote Code Execution (CVE-2025-61882, CVE-2025-61884)'. ↗
- ·Oracle did not publicly disclose that CVE-2025-61884 was actively exploited at the time of patching, and initially misattributed the ShinyHunters PoC as an IOC for CVE-2025-61882. Defenders should treat both CVEs as distinct exploit chains requiring separate patches. ↗
- ·The fix for CVE-2025-61884 was delivered as an out-of-band security update separate from the October 4 patch for CVE-2025-61882. Applying only the CVE-2025-61882 patch leaves the SSRF component exploitable; both patches must be applied. ↗
- ·Mandiant assessed that Oracle EBS servers updated through the October 4 patch are likely no longer vulnerable to known Clop (CVE-2025-61882) exploitation chains, but this does not cover CVE-2025-61884 which requires the subsequent out-of-band patch. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rcj9-qvh8-q3c8: Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI)
ghsa_unreviewed·2025-10-12
CVE-2025-61884 [HIGH] CWE-22 GHSA-rcj9-qvh8-q3c8: Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI)
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
VulnCheck
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2025·CVSS 7.5
CVE-2025-61884 [HIGH] CWE-918 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.
Affected: Oracle E-Business Suite
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://app.crowdsec.net/cti/cve-explorer/CVE-2025-61884; https://socradar.io/cl0p-oracle-ebs-zeroday-campaign/; https://www.sentinelone.com/blog/the-best-the
CISA
Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
cisa·2025-10-20·CVSS 7.5
CVE-2025-61884 [HIGH] CWE-918 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
Vulnerability: Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
Affected: Oracle E-Business Suite
Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.oracle.com/security-alerts/alert-cve-2025-61884.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-61884
Remediation Due Date: 2025-11-10
Suricata
ET WEB_SERVER Oracle E-Business Suite (EBS) Authentication Filter Bypass (apps. example. com) (CVE-2025-61884)
suricata·2025-10-08·CVSS 7.5
CVE-2025-61884 [HIGH] ET WEB_SERVER Oracle E-Business Suite (EBS) Authentication Filter Bypass (apps. example. com) (CVE-2025-61884)
ET WEB_SERVER Oracle E-Business Suite (EBS) Authentication Filter Bypass (apps. example. com) (CVE-2025-61884)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Oracle E-Business Suite (EBS) Authentication Filter Bypass (apps. example. com) (CVE-2025-61884)"; flow:established,to_server; xbits:set,ET.OracleEBS.CVE_2025_61882,track ip_dst; http.uri; content:"/OA_HTML/configurator/UiServlet"; fast_pattern; http.request_body; content:"redirectFromJsp|3d|1"; content:"getUiType|3d|"; content:"return_url"; pcre:"/^(?:(?!\x3c\x2f|\x25(?:25)?3[cC]\x25(?:25)?2[fF]).)+apps.example.com/R"; reference:url,labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-202
Suricata
ET WEB_SERVER Oracle E-Business Suite (EBS) XSL Transformation Outbound Fetch (CVE-2025-61884)
suricata·2025-10-08·CVSS 7.5
CVE-2025-61884 [HIGH] ET WEB_SERVER Oracle E-Business Suite (EBS) XSL Transformation Outbound Fetch (CVE-2025-61884)
ET WEB_SERVER Oracle E-Business Suite (EBS) XSL Transformation Outbound Fetch (CVE-2025-61884)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle E-Business Suite (EBS) XSL Transformation Outbound Fetch (CVE-2025-61884)"; flow:established,to_server; xbits:isset,ET.OracleEBS.CVE_2025_61882,track ip_src; http.uri; content:"/ieshostedsurvey.xsl"; fast_pattern; endswith; http.method; content:"GET"; reference:url,labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/; reference:cve,2025-61884; classtype:web-application-attack; sid:2065108; rev:1; metadata:affected_product Oracle_EBS, attack_target Server, created_at 2025_10_08
Suricata
ET WEB_SERVER Oracle E-Business Suite (EBS) Unauthenticated Server-Side Request Forgery (CVE-2025-61884)
suricata·2025-10-08·CVSS 7.5
CVE-2025-61884 [HIGH] ET WEB_SERVER Oracle E-Business Suite (EBS) Unauthenticated Server-Side Request Forgery (CVE-2025-61884)
ET WEB_SERVER Oracle E-Business Suite (EBS) Unauthenticated Server-Side Request Forgery (CVE-2025-61884)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Oracle E-Business Suite (EBS) Unauthenticated Server-Side Request Forgery (CVE-2025-61884)"; flow:established,to_server; xbits:set,ET.OracleEBS.CVE_2025_61882,track ip_dst; http.uri; content:"/OA_HTML/configurator/UiServlet"; fast_pattern; http.request_body; content:"redirectFromJsp|3d|1"; content:"getUiType|3d|"; content:"return_url"; pcre:"/^(?:(?!\x3c\x2f|\x25(?:25)?3[cC]\x25(?:25)?2[fF]).)+[a-zA-Z]+(?:(?:\x26|\x25(?:25)?26)(?:(?:\x23|\x25(?:25)?23)(?:x3[aA]|58)|colon)(?:\x3b|\x25(?:25)?3[bB])|\x3a|\x25(?:25)?3[aA])(?:(?:\x26|\x25(?:25)?26)(?:(?:\x23|\x25(?:25)?23)(?:x2[fF]|47)|sol)(?:\x3b|\x25(?:25)?3[bB])|\x2f|\x25(?:25
Suricata
ET WEB_SERVER Oracle E-Business Suite (EBS) CRLF Injection (CVE-2025-61884)
suricata·2025-10-08·CVSS 7.5
CVE-2025-61884 [HIGH] ET WEB_SERVER Oracle E-Business Suite (EBS) CRLF Injection (CVE-2025-61884)
ET WEB_SERVER Oracle E-Business Suite (EBS) CRLF Injection (CVE-2025-61884)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Oracle E-Business Suite (EBS) CRLF Injection (CVE-2025-61884)"; flow:established,to_server; xbits:set,ET.OracleEBS.CVE_2025_61882,track ip_dst; http.uri; content:"/OA_HTML/configurator/UiServlet"; fast_pattern; http.request_body; content:"redirectFromJsp|3d|1"; content:"getUiType|3d|"; content:"return_url"; pcre:"/^(?:(?!\x3c\x2f|\x25(?:25)?3[cC]\x25(?:25)?2[fF]).)+(?:(?:(?:\x26|\x25(?:25)?26)(?:\x23|\x25(?:25)?23)(?:13|x0[dD])(?:\x3b|\x25(?:25)?3[bB])|\x0d|\x25(?:25)?0[dD])(?:(?:\x26|\x25(?:25)?26)(?:(?:\x23|\x25(?:25)?23)(?:x0[aA]|10)|NewLine)(?:\x3b|\x25(?:25)?3[bB])|\x0a|\x25(?:25)?0[aA]))(?:HEAD|GET|POST|PUT|OPTIONS|TRACE|DELETE)/R"; reference:url,
Nuclei
Oracle E-Business Suite - Server-Side Request Forgery
nuclei·CVSS 7.5
CVE-2025-61884 [HIGH] Oracle E-Business Suite - Server-Side Request Forgery
Oracle E-Business Suite - Server-Side Request Forgery
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator.
Template:
id: CVE-2025-61884
info:
name: Oracle E-Business Suite - Server-Side Request Forgery
author: Kazgangap
severity: high
description: |
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator.
impact: |
Unauthenticated
Bleepingcomputer
CISA flags two-year-old Oracle flaw as actively exploited in attacks
blogs_bleepingcomputer·2026-06-02·CVSS 7.5
CVE-2024-21182 [HIGH] CISA flags two-year-old Oracle flaw as actively exploited in attacks
## CISA flags two-year-old Oracle flaw as actively exploited in attacks
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to secure their systems against a high-severity Oracle WebLogic Server vulnerability that was patched two years ago and is now actively exploited in attacks.
Oracle WebLogic Server is an enterprise-grade Java app server used as middleware for large, multi-tier distributed applications.
Tracked as CVE-2024-21182 , this security flaw can be exploited remotely by threat actors with no privileges in low-complexity attacks targeting systems running Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0.
"Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Checkpoint
12th January – Threat Intelligence Report
blogs_checkpoint·2026-01-12·CVSS 9.8
CVE-2025-61882 [CRITICAL] 12th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th January, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Manage My Health, New Zealand’s largest patient portal, has acknowledged a cyberattack occurred on December 2025, that potentially exposed data of nearly 110K users. An alleged attacker, dubbed Kazu, claimed responsibility and demanded a $60,000 ransom.
France’s Office for Immigration and Integration has confirmed data t
Bleepingcomputer
The biggest cybersecurity and cyberattack stories of 2025
blogs_bleepingcomputer·2026-01-01
The biggest cybersecurity and cyberattack stories of 2025
## The biggest cybersecurity and cyberattack stories of 2025
## Lawrence Abrams
2025 was a big year for cybersecurity, with major cyberattacks, data breaches, threat groups reaching new notoriety levels, and, of course, zero-day vulnerabilities exploited in incidents.
Some stories, though, were more impactful or popular with our readers than others.
Below are fifteen of what BleepingComputer believes are the most impactful cybersecurity topics of 2025, with a summary of each. These stories are in no particular order.
## 15. The PornHub Data Breach
The ShinyHunters extortion gang is extorting PornHub after stealing the company's Premium member activity data from third-party analytics provider Mixpanel.
The attackers claim to have stolen roughly 94 GB of data containing over 200 milli
Bleepingcomputer
PornHub extorted after hackers steal Premium member activity data
blogs_bleepingcomputer·2025-12-15
PornHub extorted after hackers steal Premium member activity data
## PornHub extorted after hackers steal Premium member activity data
## Lawrence Abrams
Adult video platform PornHub is being extorted by the ShinyHunters extortion gang after the search and watch history of its Premium members was reportedly stolen in a recent Mixpanel data breach.
Last week, PornHub disclosed that it was impacted by a recent breach at analytics vendor Mixpanel . Mixpanel suffered a breach on November 8th, 2025, after an SMS phishing (smishing) attack enabled threat actors to compromise its systems.
"A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users," reads a PornHub security notice posted on Friday.
"Specifically, this situation affects only select Premium users. It is important to note
Bleepingcomputer
Checkout.com snubs hackers after data breach, to donate ransom instead
blogs_bleepingcomputer·2025-11-14
Checkout.com snubs hackers after data breach, to donate ransom instead
## Checkout.com snubs hackers after data breach, to donate ransom instead
## Bill Toulas
UK financial technology company Checkout announced that the ShinyHunters threat group has breached one of its legacy cloud storage systems and is now extorting the company for a ransom.
The company says that although the stolen data affects a significant portion of its merchant base, it will not pay a ransom and will instead invest in strengthening its security.
Checkout operates checkout.com and is a global payment processing firm that provides a unified payments API, hosted payment portals, mobile SDK, and plugins to use on existing platforms.
It supports a multitude of payment methods and features fraud detection, identity verification (KYC), and provides a dispute system.
Its systems are inco
Bleepingcomputer
Washington Post data breach impacts nearly 10K employees, contractors
blogs_bleepingcomputer·2025-11-13
Washington Post data breach impacts nearly 10K employees, contractors
## Washington Post data breach impacts nearly 10K employees, contractors
## Bill Toulas
The Washington Post is notifying nearly 10,000 employees and contractors that some of their personal and financial data has been exposed in the Oracle data theft attack.
The news organization is one of the largest daily newspapers in the U.S. with approximately 2.5 million digital subscribers.
Between July 10 and August 22, threat actors accessed parts of its network. They leveraged a vulnerability in Oracle E-Business Suite software that was a zero-day at the time to steal sensitive data.
In late September, the hackers tried to extort the Washington Post, along with other major companies they had breached the same way.
The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite
Bleepingcomputer
CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw
blogs_bleepingcomputer·2025-10-21·CVSS 9.8
CVE-2025-61884 [CRITICAL] CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw
## CISA confirms hackers exploited Oracle E-Business Suite SSRF flaw
## Lawrence Abrams
CISA has confirmed that an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.
BleepingComputer previously reported that CVE-2025-61884 is an unauthenticated server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, which was linked to a leaked exploit used in July attacks.
The US cybersecurity agency is now requiring federal agencies to patch the security vulnerability by November 10, 2025.
Oracle disclosed the flaw on October 11 , giving it a 7.5 severity rating and warning that it was easily exploitable and could be used to gain "unauthorized access to critical data or
Tenable
Oracle October Critical Patch Update (CPU) 170 CVEs
blogs_tenable·2025-10-21
Oracle October Critical Patch Update (CPU) 170 CVEs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
American Airlines subsidiary Envoy confirms Oracle data theft attack
blogs_bleepingcomputer·2025-10-17·CVSS 9.8
[CRITICAL] American Airlines subsidiary Envoy confirms Oracle data theft attack
## American Airlines subsidiary Envoy confirms Oracle data theft attack
## Lawrence Abrams
Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.
"We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer.
"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."
Envoy Air is a subsidiary of American
Bleepingcomputer
Oracle silently fixes zero-day exploit leaked by ShinyHunters
blogs_bleepingcomputer·2025-10-14·CVSS 7.5
CVE-2025-61884 [HIGH] Oracle silently fixes zero-day exploit leaked by ShinyHunters
## Oracle silently fixes zero-day exploit leaked by ShinyHunters
## Lawrence Abrams
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group.
The flaw was addressed with an out-of-band security update released over the weekend, which Oracle said could be used to access “sensitive resources.”
"This Security Alert addresses vulnerability CVE-2025-61884 in Oracle E-Business Suite," reads Oracle's advisory .
"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitiv
Bleepingcomputer
Oracle releases emergency patch for new E-Business Suite flaw
blogs_bleepingcomputer·2025-10-13·CVSS 9.8
CVE-2025-61884 [CRITICAL] Oracle releases emergency patch for new E-Business Suite flaw
## Oracle releases emergency patch for new E-Business Suite flaw
## Sergiu Gatlan
Oracle has issued an emergency security update over the weekend to patch another E-Business Suite (EBS) vulnerability that can be exploited remotely by unauthenticated attackers.
Tracked as CVE-2025-61884 , this information disclosure flaw in the Runtime UI component affects EBS versions 12.2.3 to 12.2.14 and could allow unauthenticated threat actors to steal sensitive data remotely following successful exploitation.
"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible," Oracle sa
Tenable
CVE-2025-61882 Cl0p Exploited Oracle Zero-Day | Tenable®
blogs_tenable·2025-10-05·CVSS 9.8
CVE-2025-61884 [CRITICAL] CVE-2025-61882 Cl0p Exploited Oracle Zero-Day | Tenable®
Update October 14: This FAQ blog has been updated to include information on an additional zero-day flaw, CVE-2025-61884, that was reportedly exploited and part of a leaked proof-of-concept exploit referenced in the advisory for CVE-2025-61882 as well as plugin coverage for this new flaw.
Update October 6: This FAQ blog has been updated to include confirmation of public proof-of-concept exploits and clarification around prerequisites for patching CVE-2025-61882.
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
Greynoiseio
NoiseLetter November 2025
blogs_greynoiseio
NoiseLetter November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://www.oracle.com/security-alerts/alert-cve-2025-61884.htmlhttps://blogs.oracle.com/security/post/apply-july-2025-cpuhttps://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884
2025-10-12
Published
2025-10-20
Added to CISA KEV
Exploited in the wild