Threats / Oracle / CVE-2025-61884
CVE-2025-61884
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-06
Oracle E-Business Suite vulnerability
Oracle E-Business Suite Runtime component in Oracle Configurator contains an unauthenticated server-side request forgery vulnerability enabling remote exploitation.
Verdict
Today item, not a backlog item.
SSRF in unauthenticated Oracle Configurator Runtime allows attackers to forge requests from the vulnerable server, potentially accessing internal resources, exfiltrating data, or pivoting to backend systems. Active exploitation and ransomware deployment observed.
01
Is it exploitable?
— the evidence, ranked above the scoreExploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-10-20), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.51081 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Oracle, E-Business Suite. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-918 Server-Side Request Forgery (SSRF).CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No threat-actor attribution is established from the public feed for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I craft a malicious request to the unauthenticated Oracle Configurator endpoint, injecting a URL pointing to an internal resource or service.
Business
Attacker gains unauthorized access to internal systems, databases, or services not directly exposed to the internet.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I use the SSRF to probe internal network topology, enumerate services, and identify additional targets for lateral movement.
Business
Organization's internal network architecture and running services are exposed, expanding the attack surface.
3
Lateral reach — past segmentation narrative 3
Attacker
I leverage the SSRF to retrieve sensitive data from internal metadata services, configuration endpoints, or cloud credentials.
Business
Confidential credentials, API keys, and configuration data are compromised, enabling further unauthorized access.
4
Data at risk — exfiltration narrative 4
Attacker
I chain the SSRF with backend vulnerabilities or misconfigurations to achieve remote code execution on internal systems.
Business
Attacker establishes persistent access to critical infrastructure, enabling data theft and ransomware deployment.
5
Lights out — disruption & extortion narrative 5
Attacker
I deploy ransomware payloads across compromised internal systems using the established foothold.
Business
Business operations are disrupted, data is encrypted, and significant financial and reputational damage occurs.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05
Coverage & confidence
— what we know, and what we don’tEstablished (cited)
Coverage gaps — stated, not hidden
Disclosure & credit2
Catalogued by oracleCNA
Credited with finding itNo finder named in the public CVE record — the work behind this find is unattributed.