Oracle has patched a severe vulnerability in EBS that gives attackers access to sensitive software components without login credentials.
Oracle has released a security update to address a serious vulnerability (CVE-2025-61884) in Oracle EBS. The vulnerability allows attackers to gain unauthenticated access to sensitive components of the software via the network.
The security issue is located in the Runtime UI component of Oracle Configurator. Attackers can exploit the vulnerability via the HTTP protocol, without requiring usernames or passwords. Oracle assigns the vulnerability a CVSS score of 7.5, indicating a high severity. The vulnerability affects versions 12.2.3 through 12.2.14 of EBS.
Customers using these versions are advised by Oracle to apply the available patch as soon as possible. Oracle emphasizes that only supported versions, whether under standard or extended support, will receive a patch. Older versions are not tested but may also be vulnerable.
Patch Only for Supported Versions
The security vulnerability is addressed through a separate Security Alert, apart from the regular quarterly security updates. The patch is only available for customers using supported product versions. Those still on an outdated version are advised to upgrade to a supported version to access the security fix.
More information about the patch and affected products can be found in a support bulletin provided by Oracle. The vulnerability was not reported by an external party. At least, Oracle does not mention any other parties in the security bulletin.
The previous ’emergency patch’ that Oracle had to roll out dates back to just a week ago. And that’s no coincidence: the ransomware gang Clop is said to be targeting old, unpatched vulnerabilities in Oracle EBS software. There’s a certain urgency behind installing the patches as the vulnerabilities are being actively exploited. Clop was also the mastermind behind the MOVEit attacks that claimed many victims two years ago.