Oracle has issued a critical security alert for a severe vulnerability in its E-Business Suite platform that could allow attackers to execute remote code and steal sensitive data without requiring authentication.
The flaw, identified as CVE-2025-61884, affects multiple versions of the widely used enterprise software and has been assigned a CVSS score of 7.5, indicating high severity.
Critical Vulnerability Exposes Enterprise Data
The vulnerability resides in the Oracle Configurator Runtime UI component of Oracle E-Business Suite and can be exploited remotely over a network without requiring a username or password.
This authentication bypass capability makes the flaw particularly dangerous, as attackers can target vulnerable systems directly from the internet.
| CVE ID | Product | Component | Affected Versions | CVSS 3.1 Score |
| CVE-2025-61884 | Oracle E-Business Suite | Oracle Configurator Runtime UI | 12.2.3 – 12.2.14 | 7.5 (High) |
Oracle’s security advisory emphasizes that successful exploitation may provide unauthorized access to sensitive organizational resources and confidential data.
The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14, encompassing a significant portion of current enterprise deployments.
The attack vector operates through HTTP protocols with low complexity requirements, meaning threat actors do not need sophisticated tools or extensive technical knowledge to exploit the flaw.
The vulnerability specifically impacts confidentiality with a high rating, while the impacts on integrity and availability remain minimal, according to Oracle’s risk assessment.
Oracle has released emergency patches to address this critical security flaw and strongly urges customers to apply the updates immediately.
The company’s security advisory stresses that organizations should prioritize this patch deployment, especially given the vulnerability’s ability to be exploited without authentication.
System administrators can access detailed patch information and installation instructions through Oracle’s support documentation, with specific guidance provided for affected E-Business Suite versions.
The timing of this disclosure is particularly significant, as Oracle typically reserves security alerts for vulnerabilities requiring immediate attention outside of regular Critical Patch Update cycles.
Organizations running affected versions should implement compensating controls, such as network segmentation and enhanced monitoring, while preparing for emergency patch deployment.
Oracle recommends that customers maintain actively supported versions and implement all security updates promptly to prevent potential exploitation by malicious actors seeking to compromise enterprise systems and steal valuable corporate data.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
