Oracle Warns of E-Business Suite Bug
A Saturday advisory from Oracle's CISO warned of a vulnerability impacting some deployments of E-Business Suite (CVE-2025-61884).
Oracle on Saturday released a security alert for a vulnerability impacting some deployments of its E-Business Suite (CVE-2025-61884).
The flaw is remotely exploitable without authentication (meaning that it can be exploited over a network sans username or password) and impacts E-Business Suite versions 12.2.3 through 12.2.14.
“This vulnerability has received a CVSS Base Score of 7.5,” according to a Saturday statement released by Oracle Security CISO Rob Duhart. “If successfully exploited, this vulnerability may allow access to sensitive resources.”
The vulnerability specifically exists in the Runtime UI component of Oracle Configurator, which enables users to quickly develop configuration models and configurators.
“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator,” according to the description of the flaw on the NIST National Vulnerability Database. “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”
The alert comes as Oracle continues to grapple with an extortion campaign linked to Clop, which stemmed from months of intrusion activity targeting Oracle E-Business Suite customer environments. In its investigation of the intrusion activity, Oracle said that threat actors likely exploited flaws in E-Business Suite that were patched in July 2025. Last week, the company also directed customers to apply an urgent patch for a critical flaw impacting E-Business Suite (CVE-2025-61882) versions 12.2.3 through 12.2.14, which threat actors exploited in zero-day attacks as part of the campaign.
More details continue to come to light about Clop’s extortion campaign; just this past week, Mandiant and Google researchers said that the intrusion activity extended back to July 10, with threat actors targeting CVE-2025-61882 on Aug. 9, weeks before a patch was available.
Oracle’s Saturday security release did not give any information about whether the latest flaw in E-Business Suite (CVE-2025-61884) has been exploited in attacks. However, Oracle urged customers to apply the updates as soon as possible.
Recent Comments
No comments to show.