Oracle's E-Business Suite has become the latest target for ransomware groups, with CVE-2025-61884 being actively exploited in the wild. This high-severity vulnerability, which carries a CVSS score of 7.5, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on October 20, 2025, just days after its disclosure. The flaw affects Oracle Configurator, a component of the Oracle E-Business Suite, specifically versions 12.2.3 through 12.2.14.
The vulnerability is particularly concerning due to its ease of exploitation. It allows unauthenticated attackers with network access via HTTP to compromise the Oracle Configurator. The flaw is rooted in multiple weaknesses, including directory traversal (CWE-22), improper neutralization of special elements in output used by a downstream component (CWE-93), and improper authentication (CWE-287). These weaknesses enable attackers to execute arbitrary code and potentially steal sensitive data without needing to log in.
Ransomware groups such as 0apt, Clop, ShinyHunters, and Sinobi have been linked to the exploitation of this vulnerability. The rapid exploitation timeline, with a Time to Exploit (TTE) of just 7.9 days, underscores the urgency for organizations to patch affected systems immediately. The vulnerability's exploitation has been facilitated by a leaked zero-day exploit, reportedly disseminated by the ShinyHunters group, which has further accelerated its adoption by malicious actors.
Oracle responded swiftly by issuing an emergency security update to address the flaw. However, the damage potential remains significant, as the vulnerability allows for remote theft of sensitive data, which can be leveraged for further attacks or sold on underground markets. The Security Severity Value Classification (SSVC) for this vulnerability is marked as "act," indicating that immediate action is necessary to mitigate the risk.
Organizations using Oracle E-Business Suite should prioritize the application of the available patches to protect their systems from potential compromise. Additionally, security teams should monitor network traffic for signs of exploitation attempts and review access logs for any unauthorized activities.
The inclusion of CVE-2025-61884 in the KEV catalog highlights the critical nature of this vulnerability and the need for vigilance among organizations relying on Oracle's software. As ransomware groups continue to exploit such vulnerabilities, maintaining up-to-date security measures and promptly applying patches remain essential strategies for safeguarding sensitive data and ensuring operational continuity.
CSURFACE