CVE-2025-61884 is a high-severity security vulnerability in the Oracle E-Business Suite (EBS), specifically in the Oracle Configurator productโs Runtime UI component. The flaw allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator and gain unauthorized access to sensitive data. Because the affected component is often exposed to internal and external networks, exploitation could enable further reconnaissance or lateral movement within enterprise systems connected to Oracle EBS, increasing overall business risk.
The vulnerability arises from improper validation of input paths and requests, leading to issues such as path traversal and server-side request forgery (SSRF). Successful exploitation can allow attackers to read confidential files or make arbitrary network requests from the EBS server, which may expose internal systems and data.
It is remotely exploitable without user interaction or credentials. The primary impact is on confidentiality, with potential exposure of configuration, financial, or customer data processed within EBS.
Affected Versions: Oracle E-Business Suite 12.2.3 through 12.2.14.
Mitigation: Oracle has issued patches through the October 2025 Critical Patch Update. Organizations unable to patch immediately should restrict HTTP/HTTPS access to the Configurator component and monitor for abnormal network activity.
See more details on: