CVE-2025-61884

CVE Database · CVE-2025-61884

CVE-2025-61884

· HIGHAnalyzed

CVSS v3.1

7.5

EPSS

97.58%

Published

Oct 12, 2025

Modified

Oct 27, 2025

CISA Known Exploited Vulnerability

Added: 2025-10-20 · Due: 2025-11-10

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-22CWE-93CWE-287CWE-444CWE-501CWE-918

Affected Products (1)

oracle · configuratorvulnerable

References (4)

https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

Vendor Advisory

https://blogs.oracle.com/security/post/apply-july-2025-cpu

Vendor Advisory

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

ExploitPress/Media Coverage

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884

US Government Resource

KEV Catalog EPSS Scores Vendors All CVEs