The US cybersecurity agency CISA has added a serious vulnerability in Oracle E-Business Suite to its list of actively exploited vulnerabilities. Government organizations in the US must install patches before November 10. However, Oracle itself has not yet confirmed the exploitation.
Oracle published CVE-2025-61884, a server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, on October 11. The bug received a CVSS score of 7.5 and does not require authentication to exploit. According to the company, attackers can use this vulnerability to gain “unauthorized access to critical data or full access to all Oracle Configurator data.”
Notably, Oracle itself does not confirm that this vulnerability is being actively exploited, despite the fact that the company has patched an exploit that was used in attacks in July. At the same time, CISAVS has mandated that agencies install the necessary patches by November 10, 2025, at the latest.
Two attack campaigns identified
Research by CrowdStrike and Mandiant has revealed that there have been two separate waves of attacks, BleepingComputer reports. In July, criminals targeted an SSRF vulnerability in the “/configurator/UiServlet” endpoint, which has now been confirmed as CVE-2025-61884. A month later, a second campaign targeted the “/OA_HTML/SyncServlet” endpoint, which Oracle has patched as CVE-2025-61882.
This latter vulnerability is attributed to the Clop ransomware group. In early October, Clop sent threatening emails to several companies claiming to have stolen data from Oracle E-Business Suite environments via zero-day vulnerabilities. Oracle responded by stating that the attackers were exploiting leaks that had already been patched in July.
The confusion increased when, on October 3, the ShinyHunters group shared an exploit for Oracle on Telegram. A day later, Oracle published CVE-2025-61882 and named the leaked proof-of-concept as an indicator of compromise. However, analysis by watchTowr Labs revealed that the ShinyHunters exploit actually attacks the UiServlet leak, not the SyncServlet issue as Oracle suggests.
BleepingComputer discovered that the patch for CVE-2025-61884 works by validating a “return_url” parameter with a regular expression. If validation fails, the request is blocked. It remains unclear why Oracle incorrectly attributed the ShinyHunters exploit and why the company does not confirm active exploitation, despite the clear indications.
Read also: Emergency patch for vulnerability in Oracle E-Business Suite