Skip to main content

Command Palette

Search for a command to run...

Oracle releases emergency patch for new E-Business Suite flaw

Published
2 min readView as Markdown
Oracle releases emergency patch for new E-Business Suite flaw

Oracle has issued an emergency security update over the weekend to patch another E-Business Suite (EBS) vulnerability that can be exploited remotely by unauthenticated attackers.

Tracked as , this information disclosure flaw in the Runtime UI component affects EBS versions 12.2.3 to 12.2.14 and could allow unauthenticated threat actors to steal sensitive data remotely following successful exploitation.

"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible," .

"This vulnerability has received a CVSS Base Score of 7.5. If successfully exploited, this vulnerability may allow access to sensitive resources, Rob Duhart, Oracle's Chief Security Officer.

Oracle released the CVE-2025-61884 patch almost two weeks after a Clop extortion campaign targeting , which the company later linked to and then now tracked as CVE-2025-61882.

Since then, cybersecurity firm CrowdStrike said they first spotted Clop exploiting CVE-2025-61882 as a zero-day and warned that other threat groups may have also joined the attacks.

watchTowr Labs security researchers have also that can allow unauthenticated attackers to gain remote code execution, as evidenced by a proof-of-concept (PoC) exploit (with a ) that was by the Scattered Lapsus$ Hunters cybercrime gang.

The Clop extortion group was behind other targeting zero-days in , , , and , with the latter impacting .

Oracle has not tagged the CVE-2025-61884 vulnerability patched over the weekend as exploited in the wild, and has yet to link it to CVE-2025-61882 attacks.

However, seeing that internet-facing Oracle EBS instances are actively targeted, defenders are strongly advised to apply the out-of-band CVE-2025-61884 patch as soon as possible.

Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.

Don't miss the event that will shape the future of your security strategy


More from this blog

F

FPT Metrodata Indonesia Cyber Security

683 posts

FPT Metrodata Indonesia (FMI) provides news, analysis & guides on cybersecurity and threat intelligence for Indonesia & Vietnam. Visit https://news.fmisec.com. FMI: https://fmisec.com