Oracle Releases Security Advisory to address CVE-2025-61884 affecting E-Business Suite

Oracle has released an out-of-band security update addressing CVE-2025-61884, which, if successfully exploited, could lead to unauthenticated information disclosure

Threat ID:: CC-4706
Threat Severity:: High
Published:: 13 October 2025 2:34 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Oracle has released an out-of-band security update addressing CVE-2025-61884, which, if successfully exploited, could lead to unauthenticated information disclosure

Affected platforms

The following platforms are known to be affected:

Oracle E-Business Suite

Versions 12.2.3 to 12.2.14
Note: Oracle E-Business Suite releases r11, r12.0, and r12.1 are in Oracle's "sustaining support" lifecycle stage and no longer receive security updates. These releases should be considered vulnerable and organisations must upgrade to a supported version.

Threat details

Public proof-of-concept exploit reportedly available for CVE-2025-61884

The NHS England National CSOC is aware of reports that a proof-of-concept exploit exists for CVE-2025-61884. The National CSOC assess it is highly likely cyber criminals will use this proof-of-concept exploit opportunistically against unpatched Oracle E-Business Suite deployments.

Introduction

Oracle has released a security update to address a high severity vulnerability in the Runtime UI component of the Oracle Configurator product within E-Business Suite.

Vulnerability Details

CVE-2025-61884 has a CVSSv3 score of 7.5. Successful exploitation could allow a remote, unauthenticated attacker to access sensitive resources, critical data, or complete access to all Oracle Configurator accessible data.

Threat updates

Date	Update
16 Oct 2025	Severity changed to High The following items have been updated to reflect this change: Proof-of-concept emphasis box Vulnerability details Remediation advice

Date

Update

16 Oct 2025

Severity changed to High

The following items have been updated to reflect this change:

Proof-of-concept emphasis box
Vulnerability details
Remediation advice

Remediation advice

Affected organisations must review Oracle's Security Alert Advisory - CVE-2025-61884 and apply the relevant update as soon as possible. Organisations that are using Oracle E-Business Suite but are unaffected must report their version number or mitigating control in their response to this alert.

Note: Organisations running "sustaining support" or end-of-life releases of Oracle E-Business Suite must upgrade to a supported version. Oracle E-Business Suite releases r11, r12.0, and r12.1 are in Oracle's "sustaining support" lifecycle stage and do not receive security patches.

Definitive source of threat updates

https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

CVE Vulnerabilities

Status Published

CVE-2025-61884

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Last edited: 16 October 2025 1:44 pm