EXECUTIVE SUMMARY:
A critical flaw was found in the Configurator Runtime UI of the E-Business Suite that lets an unauthenticated attacker access configuration data over HTTP. Because the bug allows an authentication bypass, anyone with network access to the service can read or enumerate sensitive configuration data without credentials. The issue mainly affects deployments that expose the Configurator UI to untrusted networks. This is primarily a data-exposure problem — confidentiality is high, while integrity and availability are not impacted.
- CVE-2025-61884: This flaw exists in the Runtime UI of the Configurator module. An attacker with network access can bypass authentication and retrieve or enumerate configuration data without any credentials. Specific technical endpoint details were kept private to limit abuse, but the core issue is an authentication bypass over HTTP. The impact is mainly data disclosure: sensitive product, pricing, and configuration records can be read. The vendor has released a patch for supported 12.2.x releases; customers on older branches are urged to move to maintained releases as they may also be at risk.
- CVE-2025-61882: This is a separate, recently exploited vulnerability in the same E-Business Suite family. It was observed being used in real attacks, including follow-on extortion and ransomware activity. Its exploitation shows attackers are actively targeting this platform, increasing the risk that other new flaws in the same product will be weaponized quickly. Organizations should treat new E-Business Suite flaws as high priority because of that active attack history.
RECOMMENDATION:
We strongly recommend you upgrade Oracle E-Business Suite Configurator to versions 12.2.3–12.2.14.
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/oracle-e-business-suite-rce-vulnerability/
