On October 11, 2025, Oracle released an emergency patch for CVE-2025-61884, marking the second out-of-band update for Oracle E-Business Suite (EBS) in less than two weeks.
The vulnerability affects the Runtime User Interface (UI) component of Oracle Configurator, a module within EBS that supports product configuration and user interaction. Versions 12.2.3 through 12.2.14 are impacted.
The flaw is rated 7.5 on the Common Vulnerability Scoring System (CVSS) and allows unauthenticated remote access to sensitive resources over HTTP. While CVE-2025-61884 does not enable code execution, it could provide unauthorized access to business-critical data, which may be used for reconnaissance, lateral movement, or extortion.
BleepingComputer noted active exploitation of CVE-2025-61884, reporting that threat actor ShinyHunters leaked the exploit details online. Oracle has not confirmed whether exploitation is ongoing, but multiple security researchers have flagged the vulnerability as likely chained with other flaws.
Oracle has not published any workarounds for CVE-2025-61884. Organizations running affected versions of Oracle EBS are advised to apply the patch immediately.
Oracle EBS is a widely deployed enterprise resource planning platform used for financials, supply chain, human resources, and other core business functions. The Runtime UI component is often exposed in externally facing deployments, increasing the risk of exploitation.
Organizations should validate that both Oracle E-Business Suite patches (CVE-2025-61882 and CVE-2025-61884) have been applied and confirm that no rollback or configuration drift has occurred.
Where patching is delayed due to operational constraints, affected organizations are encouraged to isolate vulnerable components from public-facing networks and restrict access to the Runtime UI and BI Publisher Integration modules.
Reviewing firewall rules, access control lists, and reverse proxy configurations may help reduce exposure. Enhanced logging and alerting for Oracle EBS traffic, particularly for anomalous HTTP requests and access attempts to configuration endpoints, is recommended. Detection workflows should incorporate indicators of compromise associated with Clop and ShinyHunters activity.
For clients with legacy Oracle EBS deployments or limited internal security resources, organizations may consider segmenting EBS infrastructure from other enterprise systems and enforcing multi-factor authentication for administrative access. Disabling unused modules and reviewing third-party integration points may further reduce the attack surface.
Field Effect MDR supports these efforts by providing continuous monitoring across endpoints, networks, and cloud environments. It correlates telemetry to detect suspicious activity linked to exploitation of both vulnerabilities and delivers actionable alerts to reduce response times and empower containment.
By leveraging behavioral analytics and threat intelligence, Field Effect MDR can detect early indicators of compromise linked to ransomware groups like Clop and data theft actors such as ShinyHunters.