cbcvebase.
CVE-2025-61884
published 2025-10-12

CVE-2025-61884: Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14…

PriorityP197high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-11-10
Exploited in the wild
EPSS
97.58%
99.9th percentile
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Affected

2 ranges
VendorProductVersion rangeFixed in
oracleconfigurator12.2.3 – 12.2.14
oracle_corporationoracle_configurator12.2.3 – 12.2.14

Detection & IOCsextracted from sources · hover to see the quote

path/configurator/UiServlet
path/OA_HTML/SyncServlet
otherreturn_url
otherreturn_url
  • CVE-2025-61884 is an unauthenticated pre-authentication Server-Side Request Forgery (SSRF) vulnerability in the Oracle Configurator Runtime UI component (UiServlet). Monitor HTTP requests to /configurator/UiServlet for unauthenticated access attempts, especially those supplying a manipulated 'return_url' parameter.
  • The patch for CVE-2025-61884 validates the attacker-supplied 'return_url' parameter via regex. Detect exploitation attempts by alerting on requests to /configurator/UiServlet containing unexpected or external URLs in the 'return_url' parameter.
  • watchTowr Labs confirmed the ShinyHunters leaked PoC targets the UiServlet SSRF attack chain specifically, not the SyncServlet chain. Prioritize detection on /configurator/UiServlet over /OA_HTML/SyncServlet for CVE-2025-61884.
  • Exploitation of CVE-2025-61884 was observed as early as July 2025. Threat actors include ShinyHunters / Scattered Lapsus$ Hunters who leaked a public PoC on Telegram. Treat any unpatched Oracle EBS 12.2.3–12.2.14 instance as actively targeted.
  • Check Point IPS, Threat Emulation and Harmony Endpoint provide signature-based coverage for this CVE. Reference signature: 'Oracle Multiple Products Remote Code Execution (CVE-2025-61882, CVE-2025-61884)'.
  • ·Oracle did not publicly disclose that CVE-2025-61884 was actively exploited at the time of patching, and initially misattributed the ShinyHunters PoC as an IOC for CVE-2025-61882. Defenders should treat both CVEs as distinct exploit chains requiring separate patches.
  • ·The fix for CVE-2025-61884 was delivered as an out-of-band security update separate from the October 4 patch for CVE-2025-61882. Applying only the CVE-2025-61882 patch leaves the SSRF component exploitable; both patches must be applied.
  • ·Mandiant assessed that Oracle EBS servers updated through the October 4 patch are likely no longer vulnerable to known Clop (CVE-2025-61882) exploitation chains, but this does not cover CVE-2025-61884 which requires the subsequent out-of-band patch.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.