Oracle Issues Critical Patch for E-Business Suite Vulnerability
Oracle recently released an urgent patch addressing a serious vulnerability in its E-Business Suite. This flaw, identified as CVE-2025-61884, is significant due to its high severity rating of 7.5 on the Common Vulnerability Scoring System (CVSS v3.1) scale. It affects the Runtime UI component of the Oracle E-Business Suite versions 12.2.3 through 12.2.14.
Understanding the Vulnerability
The National Vulnerability Database has indicated that this vulnerability can be exploited remotely without any authentication required. This means that an unauthenticated attacker with network access through HTTP could potentially compromise Oracle Configurator, leading to unauthorized access to sensitive data. According to the advisory from Oracle, successful exploitation may expose critical resources to malicious entities.
Oracle also mentioned that versions not under Premier or Extended Support have not undergone testing for this vulnerability. Therefore, organizations running older or unsupported versions are strongly advised to upgrade to those still receiving security updates.
Context of Recent Exploits
While there haven’t been any public reports of this recently identified vulnerability being actively exploited, it’s important to note that this patch follows closely on the heels of Oracle’s fix for another critical vulnerability, CVE-2025-61882. This earlier flaw, rated at a staggering 9.8 severity level, had been under active exploitation reportedly since mid-August. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) database earlier this month.
Reports indicate that the CL0P ransomware group has been leveraging CVE-2025-61882 in a wide-ranging extortion campaign, targeting numerous organizations by sending high volumes of emails to executives, claiming the theft of sensitive information from their Oracle environments. Recently, CL0P claimed its first victim from this campaign: Harvard University.
CL0P Campaign and Its Impact
Though CL0P has not explicitly connected Harvard to their Oracle campaign, the university itself acknowledged the threat in communications with Bleeping Computer. This is indicative of the group’s extensive history of exploiting vulnerabilities to maximize their impacts quickly. CL0P, which has been active for several years, has made a name for itself by conducting mass exploitation attacks, leading to record ransomware incidents.
To aid organizations in detecting potential breaches from CL0P’s activities, Google has shared several Indicators of Compromise (IoCs). These include the storage of malicious payloads within the E-Business Suite database, specifically in the XDO_TEMPLATES_B and XDO_LOBS tables. Administrators are encouraged to review any template entries beginning with “TMP” or “DEF” and inspect the LOB_CODE column for any irregularities.
Anomalous requests to specific endpoints, such as those involving TemplatePreviewPG, may also indicate an attempted exploitation. Organizations are advised to monitor requests to /OA_HTML/configurator/UiServlet and /OA_HTML/SyncServlet as additional precautionary measures.
Conclusion: A Call for Immediate Action
With vulnerabilities like CVE-2025-61884 capable of exposing critical data, Oracle users should prioritize applying patches and maintaining up-to-date systems. As cyber threats become increasingly sophisticated, staying informed about potential vulnerabilities and following best security practices is essential for safeguarding sensitive information.
