Hackers Exploit Critical Oracle Flaw, CISA Confirms

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical Oracle E-Business Suite vulnerability, identified as CVE-2025-61884, to its Known Exploited Vulnerabilities catalog. This action confirms that malicious actors are actively leveraging the flaw in real-world attacks. Federal agencies have been directed to apply the necessary security patches by November 10, 2025, to protect their systems.

This vulnerability is an unauthenticated server-side request forgery (SSRF) issue located within the Oracle Configurator runtime component. Oracle initially disclosed the security gap on October 11, assigning it a severity rating of 7.5. The company cautioned that the flaw is easily exploitable and could allow attackers to obtain unauthorized access to critical data or gain complete control over all information accessible through Oracle Configurator.

Despite Oracle’s public disclosure, the company has not acknowledged that the vulnerability was previously exploited. Reports indicate the October update specifically blocks an exploit that was leaked by the ShinyHunters group and linked to the Scattered Lapsus$ extortion collective.

Concerns over Oracle E-Business Suite security have been mounting. Earlier in October, the Clop ransomware gang began sending extortion emails to various organizations, claiming they had exfiltrated data from Oracle E-Business Suite instances by exploiting zero-day vulnerabilities. Oracle responded by stating the attackers had actually leveraged flaws that were already patched back in July.

On October 3, ShinyHunters publicly released an Oracle exploit on Telegram, suggesting it was used by the Clop group. The following day, Oracle issued CVE-2025-61882 and listed the leaked proof-of-concept among its indicators of compromise.

Subsequent investigations by cybersecurity firms CrowdStrike and Mandiant revealed two distinct attack campaigns targeting Oracle EBS. The July campaign utilized an exploit aimed at an SSRF vulnerability in the “/configurator/UiServlet” endpoint, which has since been confirmed as CVE-2025-61884. A separate August campaign employed a different exploit against the “/OAHTML/SyncServlet” endpoint, addressed under CVE-2025-61882 through modsecurity rules and by stubbing out the SYNCSERVLET class. This second flaw is attributed to the Clop ransomware operation.

Analysis from watchTowr Labs confirmed that the ShinyHunters leaked exploit specifically targeted the UiServlet SSRF attack chain, not the SyncServlet vulnerability. Although Oracle released a patch for CVE-2025-61884 on October 11, it did not confirm whether the flaw had been exploited in the wild, despite having remediated the exploit used during the July incidents.

The patch for CVE-2025-61884 works by validating an attacker-supplied “return_url” parameter using a regular expression. Any request that fails this validation is automatically blocked.

A point of confusion remains regarding Oracle’s initial attribution. The company listed the ShinyHunters exploit as an indicator of compromise for CVE-2025-61882, even though the exploit actually corresponds to CVE-2025-61884. Oracle has not responded to inquiries seeking clarification on this discrepancy. Further attempts to determine whether Oracle will update the status of CVE-2025-61882 to reflect exploitation have also gone unanswered.

(Source: Bleeping Computer)