Oracle has issued a warning about a new security flaw in its E-Business Suite (EBS), tracked as CVE-2025-61884, with a CVSS score of 7.5. This vulnerability is remotely exploitable without authentication via HTTP and targets Oracle Configurator, a module used within EBS. Review the details in this Cybersecurity Threat Advisory to help mitigate the effects of this vulnerability.
What is the threat?
The vulnerability poses a serious threat to enterprises running Oracle EBS, which supports essential functions including finance, manufacturing, and supply chain management. If exploited, the flaw could allow attackers to bypass authentication entirely and access sensitive data.
Why is it noteworthy?
The flaw resides in the Runtime UI of Oracle Configurator, which is used to manage product and service configurations. According to Oracle and NIST, successful exploitation could allow attackers to retrieve configuration or system data without credentials. Because it primarily impacts confidentiality, CVE-2025-61884 is considered a data exfiltration risk rather than a denial-of-service (DoS) vulnerability.
What is the exposure or risk?
The vulnerability affects Oracle EBS versions 12.2.3 through 12.2.14. It is network-accessible, low in complexity, and requires no user interaction or privileges, making it especially dangerous for internet-facing deployments. Attackers can exploit it remotely over HTTP without needing insider access or privilege escalation, putting critical enterprise data at risk.
What are the recommendations?
Barracuda recommends the following to mitigate the effects this vulnerability:
- Apply the latest patches to ensure all systems are up-to-date.
- Migrate from unsupported or outdated versions and apply configuration hardening baselines to reduce exposure.
- Perform frequent vulnerability scans, maintain secure offline backups, and update incident response plans to address enterprise resource planning (ERP) specific threats.
References
For more in-depth information on the above recommendations, please visit the following links:
- https://www.techrepublic.com/article/news-oracle-ebs-vulnerability/
- https://www.msn.com/en-us/news/technology/oracle-rushes-out-another-emergency-e-business-suite-patch-as-clop-fallout-widens/ar-AA1Orlj3?ocid=BingNewsVerp
- https://thehackernews.com/2025/10/new-oracle-e-business-suite-bug-could.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.