COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2025-61884

CVE-2025-61884

Severity
critical · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2025-10-20
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-61884
⚡ RCE ⌖ exploited in the wild shame 85/100 ransomwareexploited-in-wildunpatchedrce

Oracle E-Business Suite's unpatched SSRF vulnerability in Oracle Configurator was actively exploited in the wild without authentication, enabling remote code execution and ransomware attacks.

Oracle E-Business Suite's unpatched SSRF vulnerability in Oracle Configurator was actively exploited in the wild without authentication, enabling remote code execution and ransomware attacks. DIB organizations must ensure all Oracle E-Business Suite instances are patched and monitored for exploitation, as this vulnerability allows attackers to execute arbitrary code without needing credentials. The failure highlights the severe risks of relying on unpatched software, especially in critical business environments.

Shame score — The vulnerability was actively exploited in the wild without authentication, enabling ransomware attacks and remote code execution, which is a severe and avoidable failure.

Players implicated

Oracle · vendorE-Business Suite · product

Description

Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.

Affected FedRAMP products 10 in the catalog

ProductProviderStatusMatch
Aconex for Defense Oracle Authorized vendor-exact · 0.90
Federal Managed Cloud Services Oracle Authorized vendor-exact · 0.90
Fusion Cloud Oracle Authorized vendor-exact · 0.90
Government Cloud - Common Controls Oracle Authorized vendor-exact · 0.90
Oracle Cloud Infrastructure-Government Cloud Oracle Authorized vendor-exact · 0.90
Oracle Enterprise Performance Management (EPM) Oracle Authorized vendor-exact · 0.90
Oracle Enterprise Performance Management (EPM) - Moderate Oracle In Process vendor-exact · 0.90
Oracle Service Cloud Oracle Authorized vendor-exact · 0.90
Oracle Service Cloud (DOD) Oracle Authorized vendor-exact · 0.90
Taleo Cloud - U.S. Government Cloud Oracle Authorized vendor-exact · 0.90