Oracle rushed out a patch over the weekend for a new E-Business Suite vulnerability that can be exploited remotely without authentication.
The vulnerability – CVE-2025-61884 – carries a 7.5 high-severity rating under CVSS v3.1. The flaw affects the Runtime UI component in Oracle E-Business Suite supported versions 12.2.3-12.2.14.
“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator,” reads the National Vulnerability Database description of CVE-2025-61884. “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”
Oracle noted in an advisory, “If successfully exploited, this vulnerability may allow access to sensitive resources.”
“Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert,” Oracle said. “However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.”
New E-Business Suite Flaw Not Connected to Earlier Exploitation
There have been no reports yet that the new low-complexity vulnerability has been exploited, but the fix comes roughly a week after Oracle patched CVE-2025-61882, a 9.8-severity remote code execution (RCE) flaw that had reportedly been exploited at least since August 9, with “suspicious activity” occurring as early as July 10.
CISA added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) database on October 6.
CVE-2025-61882 was reportedly weaponized by the CL0P ransomware gang in a widespread extortion campaign involving “a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims’ Oracle E-Business Suite (EBS) environments,” according to Google Threat Intelligence.
CL0P (aka CLOP) has now claimed its first victim from the Oracle campaign on its Tor data leak site: Harvard University (image below from Dominic Alvieri on X).
While CL0P didn’t specifically link Harvard to the Oracle campaign, a statement from the university to Bleeping Computer did.
CL0P: A Long History of Mass Exploits
Six-year-old CL0P was the main reason that February 2025 saw record ransomware attacks. The threat group specializes in mass exploitation of vulnerabilities and often claims a large number of victims at a time from its campaigns, so the naming of Harvard could be just the first of many.
Google last week published several Indicators of Compromise (IoCs) to help organizations targeted by CL0P’s Oracle campaign with detection.
One is that the threat group stores payloads directly in the EBS database. Administrators should query the XDO_TEMPLATES_B and XDO_LOBS tables to look for malicious templates and review any template where the TEMPLATE_CODE begins with TMP or DEF. The payload is stored in the LOB_CODE column.
“A request to the TemplatePreviewPG endpoint containing a TemplateCode prefixed with TMP or DEF is a strong indicator of an exploitation attempt,” Google said.
Anomalous requests to /OA_HTML/configurator/UiServlet and /OA_HTML/SyncServlet should also be investigated, the company added.
