Oracle E-Business Suite reports another vulnerability during rising ransomware threats
Take action: If you're running Oracle E-Business Suite, check Oracle's Patch Update program and plan for another quick update. It's not clear whether this vulnerability is actively exploited, but given the recent wave of Oracle E-Business Suite exploits, treat this as urgent as well. You don't want a repeat of the previous attack cycle.
Learn More
Oracle has disclosed a high-severity security vulnerability in its E-Business Suite.
The flaw is tracked as CVE-2025-61884 (CVSS score 7.5), an easily exploitable vulnerability in the Runtime user interface of the Oracle Configurator component. According to Oracle's official security alert, attackers with network access via HTTP can remotely exploit this flaw to compromise Oracle Configurator systems and "may allow access to sensitive resources".
Affected versions of Oracle E-Business Suite include Oracle E-Business Suite versions 12.2.3 through 12.2.14. At least one security researcher confirmed that earlier version 12.1.3 is also vulnerable. Oracle warns that changes to the advisory may be made in the coming days as they continue to assess the full scope of affected versions.
Oracle did not disclose whether CVE-2025-61884 is being actively exploited, but the timing of this disclosure is very alarming given the recent exploitation of Oracle E-Business Suite and the previously reported emergency security alert for CVE-2025-61882.
Oracle strongly recommends that customers apply the updates or mitigations provided through its Critical Patch Update program as soon as possible.
CISA has confirmed that an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is actively exploited in attacks
