Oracle E-Business Suite Hit by New High-Severity Vulnerability (CVE-2025-61884)
Overview
Oracle has disclosed a new high-severity vulnerability, CVE-2025-61884, affecting Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14, as documented in My Oracle Support (MOS) Note 3107176.1.
This disclosure comes shortly after another serious security issue, CVE-2025-61882, announced on October 4, 2025, which has already been actively exploited in the wild.
Together, these vulnerabilities reinforce the critical need for timely patching, strict access controls, and continuous monitoring for organizations running Oracle EBS—whether on-premises or in cloud environments.
CVE-2025-61884 — What We Know So Far
- Affected Component: Oracle Configurator (Runtime UI)
- Affected Versions: EBS 12.2.3 to 12.2.14
- Severity: High (CVSS v3.1 Base Score: 7.5)
- Attack Vector: Network (Unauthenticated HTTP access)
- MOS Reference: Doc ID 3107176.1
This vulnerability allows unauthenticated network access to the Oracle Configurator Runtime UI, potentially exposing sensitive configuration data or enabling unauthorized access to internal system resources.
Oracle has released a security patch to remediate the issue, available via the Patch Availability Document in MOS. In addition to patching, Oracle recommends post-patch validation steps and restricting access to Configurator-related URLs.
CVE-2025-61882 — The Earlier Critical Vulnerability Still Requires Urgent Attention
- Affected Component: Oracle Concurrent Processing / BI Publisher Integration
- Severity: Critical — Remote Code Execution (RCE)
- MOS Reference: Doc ID 3106344.1
- Status: Actively exploited
CVE-2025-61882 exposes an RCE vulnerability that can be triggered via HTTP requests, allowing attackers to execute arbitrary code on EBS application servers. This issue has been actively exploited by threat actors, including ransomware groups, prompting urgent advisories from Oracle and cybersecurity agencies.
Organizations should immediately verify that:
- The patch for CVE-2025-61882 has been applied
- All prerequisite CPU/PSU baseline patches are in place
- Logs and systems have been reviewed for indicators of compromise (IOCs)
Key Differences Between CVE-2025-61882 and CVE-2025-61884
| Aspect | CVE-2025-61882 | CVE-2025-61884 |
| Severity | Critical (RCE) | High (Unauthorized Access) |
| Attack Vector | HTTP – Remote Code Execution | HTTP – Configurator Runtime UI |
| Exploitation Status | Actively exploited | No public exploit observed |
| MOS Note | 3106344.1 | 3107176.1 |
| Additional Mitigation | IOC scanning, log analysis, baseline CPUs | Restrict Configurator access, post-patch hardening
|
Recommended Actions for Oracle EBS Administrators
- Apply patches for both CVEs immediately following Oracle MOS guidance
- Validate all patch prerequisites (CPU/PSU dependencies)
- Restrict HTTP access to Configurator and BI Publisher components to trusted users only
- Enable Web Application Firewall (WAF) protections for known exploit patterns
- Conduct threat hunting using:
- HTTP access logs
- BI Publisher logs
- Concurrent Manager trace files
- Regularly monitor Oracle’s Security Alert portal and subscribe to Critical Patch Update (CPU) notifications
Why This Matters
Oracle E-Business Suite remains a mission-critical platform for finance, supply chain, HR, and manufacturing operations across many enterprises. Due to its business importance and frequent internet exposure, EBS environments are a high-value target for attackers.
Prompt patching combined with network hardening and continuous monitoring significantly reduces risk. Organizations running EBS on Oracle Cloud Infrastructure (OCI) or private cloud platforms should also ensure security lists, load balancers, and WAF rules are properly configured and up to date.
Final Thoughts
The rapid emergence of two major vulnerabilities highlights the importance of a proactive security posture for Oracle ERP environments. Staying current with patches, enforcing least-privilege access, and maintaining close collaboration between DBA, system, and security teams is essential.
For detailed technical guidance, refer to:
- CVE-2025-61882 — MOS Note 3106344.1
- CVE-2025-61884 — MOS Note 3107176.1
