Introduction
Unauthorized access to critical business configuration data in Oracle E-Business Suite can have direct operational and competitive consequences. CVE-2025-61884, disclosed by Oracle on October 11, 2025, exposes a significant portion of the global ERP landscape to unauthenticated data exposure via the Configurator Runtime UI.
Oracle E-Business Suite (EBS) is a cornerstone enterprise resource planning platform used by thousands of organizations worldwide to manage finance, HR, supply chain, and customer operations. The Configurator module is essential for managing complex product and service configurations, making vulnerabilities in this component especially impactful for organizations relying on EBS for core business processes.
Technical Information
CVE-2025-61884 is an easily exploitable vulnerability in the Oracle Configurator component (Runtime UI) of Oracle E-Business Suite. Attackers with network access via HTTP can access sensitive configuration data without authentication. The vulnerability is present in the Runtime UI, which serves as the web interface for interacting with configuration models and data. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that exploitation is possible remotely, requires no authentication or user interaction, and results in high confidentiality impact (data exposure).
The root cause is an authentication bypass in the Runtime UI, allowing unauthenticated requests to retrieve or enumerate sensitive data managed by Oracle Configurator. There is no public exploit code or detailed technical breakdown of the vulnerable code path as of this writing. No information is available about specific HTTP endpoints or request structures involved.
Patch Information
Oracle has released a security patch to address the vulnerability identified as CVE-2025-61884 in Oracle E-Business Suite versions 12.2.3 through 12.2.14. This vulnerability allows unauthorized remote access to sensitive resources without the need for authentication. To mitigate this risk, Oracle strongly recommends that customers apply the provided updates promptly. Detailed instructions for obtaining and applying the patch are available in the Patch Availability Document linked below.
Affected Systems and Versions
- Oracle E-Business Suite (EBS) Configurator component (Runtime UI)
- Affected versions: 12.2.3 through 12.2.14
- All configurations of these versions are vulnerable unless patched
Vendor Security History
Oracle E-Business Suite has experienced multiple high-impact vulnerabilities in recent years, including unauthenticated remote code execution and data exposure issues. Notably, CVE-2025-61882 (disclosed one week prior) was actively exploited in the wild and targeted a different EBS component. Oracle typically issues out-of-cycle security alerts and patches for such vulnerabilities and maintains a quarterly Critical Patch Update schedule. The vendor's response time for critical EBS vulnerabilities is generally prompt, especially when active exploitation is detected.