Oracle has issued a security update to address a high-severity vulnerability in its E-Business Suite (EBS) software that could let attackers access sensitive data remotely, without needing to authenticate.
This a newly disclosed flaw, and a different issue from an earlier vulnerability affecting Oracle E-Business Suite systems.
The flaw, tracked as CVE-2025-61884, impacts EBS versions 12.2.3 through 12.2.14 and has been assigned a CVSS score of 7.5.
According to the National Vulnerability Database, the “easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”
Oracle confirmed that the vulnerability is remotely exploitable without authentication, emphasizing the importance of applying the patch promptly. The company has not reported any confirmed exploitation in the wild.
“Oracle has just released Security Alert CVE-2025-61884. This vulnerability affects some deployments of Oracle E-Business Suite,” said Rob Duhart, Oracle’s Chief Security Officer. “If successfully exploited, this vulnerability may allow access to sensitive resources.”
The update follows recent reports from Google Threat Intelligence Group (GTIG) and Mandiant, which disclosed that dozens of organizations may have been affected by the earlier zero-day CVE-2025-61882.
In those attacks, threat actors leveraged vulnerabilities in EBS to deploy malware families such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. While the activity is linked to hacking groups with potential ties to the Cl0p ransomware crew, GTIG and Mandiant have not definitively attributed the campaigns to a single actor.
“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations,” John Hultquist, chief analyst of GTIG at Google Cloud, shared in a statement with The Hacker News. “Some historic Cl0p data extortion campaigns have had hundreds of victims. Unfortunately, large-scale zero-day campaigns like this are becoming a regular feature of cybercrime.”
The emergence of CVE-2025-61884 underscores the ongoing risks facing EBS customers. Organizations are encouraged to install Oracle’s patch without delay and review access controls for Oracle Configurator components to minimize potential exposure.
The Big Picture
This latest flaw highlights how even high-profile enterprise software can carry vulnerabilities that allow unauthorized data access. For businesses running E-Business Suite, timely patching is critical to prevent attackers from managing to exploit remotely accessible systems, compromise sensitive information, and deploy malware across connected networks.
