Oracle Warns of Unauthenticated Vulnerability in E-Business Suite (CVE-2025-61884)

Oracle has issued an emergency Security Alert Advisory for a newly discovered vulnerability affecting Oracle E-Business Suite, tracked as CVE-2025-61884. The flaw, which carries a critical remote exploitation risk, allows attackers to access sensitive resources without authentication.

According to Oracle, “This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password.” The company warns that if the vulnerability is successfully exploited, “it may allow access to sensitive resources.”

The vulnerability affects Oracle E-Business Suite versions 12.2.3 through 12.2.14, a widely deployed enterprise resource planning (ERP) platform used by major corporations for financials, procurement, supply chain, and human resources operations.

Because exploitation requires no valid credentials, Oracle classifies CVE-2025-61884 as remotely exploitable without authentication (RCE-UA) — among the most severe categories in its risk framework. This makes it possible for a threat actor to remotely compromise exposed E-Business Suite instances, potentially leading to data theft or unauthorized access to internal systems.

Given the unauthenticated nature of this vulnerability, attackers could exploit it through exposed Oracle E-Business Suite web interfaces accessible over the internet. Organizations running outdated or unpatched environments could be at risk of:

• Data exfiltration or exposure of sensitive business information.
• Lateral movement within enterprise networks through ERP-to-database integrations.
• Disruption of financial and supply chain operations by manipulating internal records.

Security experts warn that enterprise ERP systems like Oracle EBS are increasingly targeted by state-sponsored and financially motivated threat actors, due to the valuable data and privileged access they provide.

Oracle strongly urges all customers to apply available updates immediately.

Related Posts:

• CVE-2025-61882 (CVSS 9.8): Critical RCE Flaw in Oracle E-Business Suite
• CL0P Extortion: Google/Mandiant Expose Zero-Day RCE in Oracle E-Business Suite (CVE-2025-61882)
• Oracle April 2025 CPU: 378 Security Patches Released
• CISA Sounds the Alarm on Actively Exploited Apple and Oracle Zero-Days
• Oracle EBS Zero-Day (CVE-2025-61882) Under Active RCE Exploitation by GRACEFUL SPIDER