Oracle released an emergency patch this weekend for a critical vulnerability in E-Business Suite. This software flaw can be exploited by attackers without authentication to steal sensitive data.
The vulnerability CVE-2025-61884 concerns an information disclosure flaw in the Runtime UI component. It affects all EBS versions from 12.2.3 to 12.2.14. If successfully exploited, this flaw could give access to sensitive data. Oracle has assigned the vulnerability a CVSS score of 7.5, which underscores the severity of the problem.
Connection to recent attacks
The timing of this patch is striking, as BleepingComputer points out. Oracle released CVE-2025-61884 nearly two weeks after a Clop extortion campaign targeting executives at multiple companies. This campaign was later linked to EBS vulnerabilities that were patched in July, as well as another Oracle EBS vulnerability (CVE-2025-61882).
High urgency from Oracle
Oracle warns that this vulnerability can be exploited over a network without a username or password. Security company CrowdStrike reported that Clop had been exploiting the zero-day CVE-2025-61882 to steal data since early August. The company warned that other cyber threats may have joined in on these attacks.
Researchers at watchTowr Labs discovered that CVE-2025-61882 is actually a vulnerability chain. This chain can give unauthorized attackers remote code execution, as proven by a proof-of-concept exploit that was leaked online via cybercrime group Scattered Lapsus$ Hunters.
Oracle has not yet marked CVE-2025-61884 as actively exploited in the wild and has not made a direct link to the CVE-2025-61882 attacks. Online Oracle EBS instances are clearly targets, so updating is highly recommended.
Read also: Oracle patches actively exploited zero-day in E-Business Suite