Exposures › CVE-2025-61884
Oracle E-Business Suite's unpatched SSRF vulnerability in Oracle Configurator was actively exploited in the wild without authentication, enabling remote code execution and ransomware attacks.
Oracle E-Business Suite's unpatched SSRF vulnerability in Oracle Configurator was actively exploited in the wild without authentication, enabling remote code execution and ransomware attacks. DIB organizations must ensure all Oracle E-Business Suite instances are patched and monitored for exploitation, as this vulnerability allows attackers to execute arbitrary code without needing credentials. The failure highlights the severe risks of relying on unpatched software, especially in critical business environments.
Shame score — The vulnerability was actively exploited in the wild without authentication, enabling ransomware attacks and remote code execution, which is a severe and avoidable failure.
Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.
| Product | Provider | Status | Match |
|---|---|---|---|
| Aconex for Defense | Oracle | Authorized | vendor-exact · 0.90 |
| Federal Managed Cloud Services | Oracle | Authorized | vendor-exact · 0.90 |
| Fusion Cloud | Oracle | Authorized | vendor-exact · 0.90 |
| Government Cloud - Common Controls | Oracle | Authorized | vendor-exact · 0.90 |
| Oracle Cloud Infrastructure-Government Cloud | Oracle | Authorized | vendor-exact · 0.90 |
| Oracle Enterprise Performance Management (EPM) | Oracle | Authorized | vendor-exact · 0.90 |
| Oracle Enterprise Performance Management (EPM) - Moderate | Oracle | In Process | vendor-exact · 0.90 |
| Oracle Service Cloud | Oracle | Authorized | vendor-exact · 0.90 |
| Oracle Service Cloud (DOD) | Oracle | Authorized | vendor-exact · 0.90 |
| Taleo Cloud - U.S. Government Cloud | Oracle | Authorized | vendor-exact · 0.90 |