On Saturday, Oracle released a security advisory addressing a high-severity vulnerability impacting E-Business Suite. Tracked as CVE-2025-61884, the vulnerability may allow an unauthenticated remote attacker to access sensitive resources.
Oracle has not mentioned the vulnerability’s exploitation. However, Rob Duhart, the chief security officer of Oracle Security, described in his blog that “this vulnerability affects some deployments of Oracle E-Business Suite.”
Oracle E-Business Suite (Oracle EBS) is among the world’s leading ERP (Enterprise Resource Planning) solutions. It encourages productivity, fulfills the needs of the current mobile user, and supports today’s ever-evolving business models. Oracle E-Business Suite continues to bring new application functionality and enhance the capabilities of existing features. Besides, it assists in taking full advantage of Oracle Cloud.
Vulnerability Details
The vulnerability exists in the Runtime UI component of Oracle Configurator, a product of Oracle E-Business Suite. Successful exploitation of this vulnerability may allow an unauthenticated remote attacker with network access via HTTP to compromise Oracle Configurator. Oracle mentioned in the advisory that the vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
Affected Versions
The vulnerability affects Oracle E-Business Suite versions 12.1, 12.2.3 through 12.2.14.
Mitigation
Oracle released the following patches to address the vulnerability:
- For Release 12.2, apply Patch 38512809:R12.CZ.C and Patch 37614922:R12.IES.C.
- For Release 12.1, patches are pending.
For more information, please refer to the Oracle Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 20507 to detect vulnerable assets.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.oracle.com/security-alerts/alert-cve-2025-61884.html