CISA has confirmed that an Oracle E-Enterprise Suite flaw tracked as CVE-2025-61884 is being exploited in assaults, including it to its Recognized Exploited Vulnerabilities catalog.
BleepingComputer beforehand reported that CVE-2025-61884 is an unauthenticated server-side request forgery (SSRF) vulnerability within the Oracle Configurator runtime part, which was linked to a leaked exploit utilized in July assaults.
The US cybersecurity company is now requiring federal businesses to patch the security vulnerability by November 10, 2025.
Oracle disclosed the flaw on October 11, giving it a 7.5 severity score and warning that it was simply exploitable and could possibly be used to achieve “unauthorized entry to essential information or full entry to all Oracle Configurator accessible information.”
Nevertheless, Oracle has not disclosed that the vulnerability was beforehand exploited, regardless of BleepingComputer confirming that the replace blocks the exploit leaked by ShinyHunters and the Scattered Lapsus$ extortion group.
Oracle E-Enterprise Suite below assault
In early October, Mandiant revealed that the Clop ransomware gang had begun sending extortion emails to corporations, claiming that that they had stolen information from Oracle E-Enterprise Suite situations utilizing zero-day flaws.
Oracle responded to this information by stating that the risk actors had exploited beforehand patched flaws disclosed in July.
On October 3, ShinyHunters leaked an Oracle exploit on Telegram, indicating it was utilized by Clop. The subsequent day, Oracle disclosed CVE-2025-61882, itemizing the leaked proof-of-concept as considered one of its indicators of compromise (IOCs).
Nevertheless, investigations by CrowdStrike and Mandiant revealed that Oracle EBS had been focused in two completely different campaigns.
- July marketing campaign: Used an exploit that focused an SSRF flaw within the “
/configurator/UiServlet” endpoint, which is now confirmed as CVE-2025-61884. - August marketing campaign: Used a unique exploit towards the “
/OA_HTML/SyncServlet” endpoint, and was fastened below CVE-2025-61882 by way of mod_security guidelines to dam the endpoint and by stubbing out the SYNCSERVLET class. This flaw is attributed to Clop.
watchTowr Labs additionally printed an evaluation of the leaked ShinyHunters exploit, confirming it focused the UiServlet SSRF assault chain and not the SyncServlet one.
Oracle disclosed CVE-2025-61884 on October 11 however didn’t affirm whether or not it had been exploited, regardless of having fastened the exploit used within the July assaults.
BleepingComputer has discovered that the patch for CVE-2025-61884 addresses the flaw by validating an attacker-supplied “return_url” utilizing an everyday expression. If the validation fails, the request is blocked.
To at the present time, it stays unclear why Oracle listed the ShinyHunters exploit as an IOC for CVE-2025-61882, when it’s really supposed for CVE-2025-61884. Sadly, Oracle has not responded to BleepingComputer’s emails in regards to the incorrect IOC.
BleepingComputer has as soon as once more contacted Oracle about whether or not they may now mark the CVE-2025-61882 flaw as exploited, however didn’t obtain a reply to our e-mail.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
