“`html
Oracle has revealed a serious vulnerability in its E-Business Suite that permits unauthenticated intruders to remotely access confidential information, raising concerns for businesses depending on the platform for essential functions.
Referred to as CVE-2025-61884, this flaw impacts the Oracle Configurator component and was outlined in a security advisory issued on October 11, 2025.
This announcement follows closely on the heels of another exploited vulnerability within E-Business Suite, CVE-2025-61882, emphasizing ongoing security issues within Oracle’s enterprise resource planning software.
The vulnerability enables cybercriminals to circumvent authentication via HTTP, potentially exposing configuration data crucial for business operations such as finance and supply chain management.
Oracle E-Business Suite RCE Vulnerability
CVE-2025-61884 is located in the Runtime UI of Oracle Configurator, a module designed for overseeing product and service configurations within the E-Business Suite.
Attackers with network access can take advantage of this flaw without needing credentials, leading to unauthorized data extraction or enumeration. The vulnerability arises from an authentication bypass mechanism; however, specific technical details such as affected endpoints are not disclosed to avert broad misuse.
Oracle assigns a CVSS 3.1 base score of 7.5 to this issue, categorizing it as high severity due to its ease of exploitation. No credits are attributed to external researchers, implying internal discovery by Oracle’s security team.
The succeeding table summarizes the critical aspects of the vulnerability:
| CVE ID | Affected Component | Protocol | CVSS Base Score | Attack Vector | Attack Complexity | Privileges Required | User Interaction | Scope | Confidentiality Impact | Integrity Impact | Availability Impact | Supported Versions |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-61884 | Oracle Configurator (Runtime UI) | HTTP | 7.5 | Network | Low | None | None | Unchanged | High | None | None | 12.2.3-12.2.14 |
This organized summary highlights the remote, unauthenticated nature of the threat, making it approachable for any internet-facing deployment.
Successful exploitation could grant intruders complete access to all Oracle Configurator data, including sensitive business configurations that influence operational choices.
For organizations in industries like manufacturing or retail, this implies exposure of proprietary models, pricing tactics, and customer information, possibly resulting in competitive disadvantages or regulatory non-compliance.
The high confidentiality impact without affecting integrity or availability positions it as a vector for data exfiltration rather than a disruptive assault.
Considering the recent exploitation of CVE-2025-61882 by ransomware groups such as Cl0p, security professionals caution that CVE-2025-61884 could similarly be targeted, especially as proof-of-concepts for like flaws are circulating. Enterprises with unpatched E-Business Suite instances encounter heightened risks, especially if exposed to the public internet.
Mitigations
Oracle urges immediate implementation of the released patches for versions 12.2.3 through 12.2.14, accessible through the Security Alert program for supported releases under Premier or Extended Support.
Customers on outdated versions should upgrade to maintained branches, as earlier releases like 12.1.3 may also be vulnerable despite lacking testing.
Additional protections involve network segmentation to restrict HTTP access to the Configurator UI and monitoring for unusual request patterns.
Oracle’s advisory provides comprehensive patch instructions through support documents, emphasizing the Lifetime Support Policy for ongoing protection.
While no active exploitation has been confirmed for this CVE, the trend of rapid E-Business Suite assaults necessitates prompt action to secure sensitive resources.
“`