Oracle has issued an emergency security update over the weekend to patch another E-Business Suite (EBS) vulnerability that can be exploited remotely by unauthenticated attackers.
Tracked as CVE-2025-61884, this information disclosure flaw in the Runtime UI component affects EBS versions 12.2.3 to 12.2.14 and could allow unauthenticated threat actors to steal sensitive data remotely following successful exploitation.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible,” Oracle said.
“This vulnerability has received a CVSS Base Score of 7.5. If successfully exploited, this vulnerability may allow access to sensitive resources, added Rob Duhart, Oracle’s Chief Security Officer.
Oracle released the CVE-2025-61884 patch almost two weeks after a Clop extortion campaign targeting executives at multiple companies, which the company later linked to EBS vulnerabilities patched in July 2025 and then to another Oracle EBS vulnerability now tracked as CVE-2025-61882.
Since then, cybersecurity firm CrowdStrike said they first spotted Clop exploiting CVE-2025-61882 as a zero-day since early August in data theft attacks and warned that other threat groups may have also joined the attacks.
watchTowr Labs security researchers have also found that CVE-2025-61882 is a vulnerability chain that can allow unauthenticated attackers to gain remote code execution, as evidenced by a proof-of-concept (PoC) exploit (with a May 2025 timestamp) that was leaked online by the Scattered Lapsus$ Hunters cybercrime gang.
The Clop extortion group was behind other major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer, with the latter impacting over 2,770 organizations.
Oracle has not tagged the CVE-2025-61884 vulnerability patched over the weekend as exploited in the wild, and has yet to link it to CVE-2025-61882 attacks.
However, seeing that internet-facing Oracle EBS instances are actively targeted, defenders are strongly advised to apply the out-of-band CVE-2025-61884 patch as soon as possible.
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
