Actively exploited vulnerability

CVE-2025-61884: Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability

Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.

CISA KEV source 20 Oct 2025 added 10 Nov 2025 remediation due

Affected product

Oracle · E-Business Suite

Known ransomware use: Known

Required action

Follow the source advisory and validate exposure in your environment.

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Related Yasna coverage

Recent reporting that mentions CVE-2025-61884.

Bleeping Computer15 Oct 2025

Oracle silently fixes zero-day exploit leaked by ShinyHunters

Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. [...]

Bleeping Computer15 Oct 2025

Oracles silently fixes zero-day exploit leaked by ShinyHunters

Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. [...]