Oracle E-Business Suite RCE Vulnerability Exposes Sensitive Data to Hackers Without Authentication

Oracle has disclosed a critical vulnerability in its E-Business Suite that enables unauthenticated attackers to remotely access sensitive data, raising alarms for enterprises relying on the platform for core operations.

Tracked as CVE-2025-61884, the flaw affects the Oracle Configurator component and was detailed in a security alert released on October 11, 2025.

This comes just days after another exploited E-Business Suite vulnerability, CVE-2025-61882, highlighting ongoing security challenges in Oracle’s enterprise resource planning software.

The issue allows hackers to bypass authentication over HTTP, potentially exposing configuration data critical to business processes like finance and supply chain management.​

Oracle E-Business Suite RCE Vulnerability

CVE-2025-61884 resides in the Runtime UI of Oracle Configurator, a module used for managing product and service configurations within E-Business Suite.

Attackers with network access can exploit this flaw without credentials, leading to unauthorized data retrieval or enumeration. The vulnerability stems from an authentication bypass mechanism, though specific technical details like affected endpoints remain undisclosed to prevent widespread abuse.

Oracle rates it with a CVSS 3.1 base score of 7.5, classifying it as high severity due to its ease of exploitation. No credits are given to external researchers, suggesting internal discovery by Oracle’s security team.​

The following table summarizes key aspects of the vulnerability:

CVE ID	Affected Component	Protocol	CVSS Base Score	Attack Vector	Attack Complexity	Privileges Required	User Interaction	Scope	Confidentiality Impact	Integrity Impact	Availability Impact	Supported Versions
CVE-2025-61884	Oracle Configurator (Runtime UI)	HTTP	7.5	Network	Low	None	None	Unchanged	High	None	None	12.2.3-12.2.14 ​

This structured breakdown underscores the remote, unauthenticated nature of the threat, making it accessible to any internet-facing deployment.​

Successful exploitation could grant hackers complete access to all Oracle Configurator data, including sensitive business configurations that drive operational decisions.

For organizations in sectors like manufacturing or retail, this means exposure of proprietary models, pricing strategies, and customer details, potentially leading to competitive disadvantages or regulatory violations.

The high confidentiality impact without affecting integrity or availability positions it as a data exfiltration vector rather than a disruptive attack.

Given the recent exploitation of CVE-2025-61882 by ransomware groups like Cl0p, security experts warn that CVE-2025-61884 could follow suit, especially as proof-of-concepts for similar flaws circulate. Enterprises with unpatched E-Business Suite instances face elevated risks, particularly if exposed to the public internet.​

Mitigations

Oracle urges immediate application of the released patches for versions 12.2.3 through 12.2.14, available via the Security Alert program for supported releases under Premier or Extended Support.

Customers on older versions should upgrade to maintained branches, as earlier releases like 12.1.3 may also be vulnerable despite lacking testing.

Additional defenses include network segmentation to limit HTTP access to the Configurator UI and monitoring for anomalous requests.

Oracle’s advisory provides detailed patch instructions through support documents, emphasizing the Lifetime Support Policy for ongoing protection.

While no active exploitation has been confirmed for this CVE, the pattern of rapid E-Business Suite attacks demands swift action to safeguard sensitive resources.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.