CVE-2025-61884 has been disclosed for Oracle E-Business Suite (EBS). The affected component, Oracle Configurator Runtime UI, can be exploited via an unauthenticated HTTP request prior to login. Successful exploitation may allow unauthorized access to configuration-related data. The officially reported affected versions are 12.2.3 – 12.2.14, and the CVSS score is 7.5 (High).
This advisory should be read together with CVE-2025-61882 (RCE, CVSS 9.8), which was disclosed at the same time. Field observations indicate chained attack scenarios where threat actors obtain initial access via an RCE and then exploit the Runtime UI flaw to harvest configuration data. The risk increases for environments with externally exposed EBS portals.
Impact & Context
The Configurator Runtime UI is tightly coupled with critical business flows such as product configuration, price calculation, and order logic. If access control is weak prior to authentication, attackers may read configuration models and related data (price lists, business rules, supply chain identifiers, etc.) without logging in. Such unauthorized access can be leveraged for privilege escalation, impersonation, or as reconnaissance for supply-chain attacks.
Common endpoints observed during attacks include:
/OA_HTML/configurator/UiServlet- (in some environments)
/OA_HTML/configurator/SyncServlet
Operations teams should prioritize review of recent access logs and error logs for requests to the above paths.
Oracle EBS: Criminal IP–based Hunting for CVE-2025-61884
Externally exposed Oracle EBS portals that may be vulnerable to CVE-2025-61884 often display characteristic signatures in browser titles, HTTP response banners, and through the presence of specific endpoint paths—allowing rapid identification. Use the following query in the Criminal IP Asset Search threat-hunting engine to identify publicly exposed instances.
Criminal IP Search Query: “OA_HTML”
Searching for “OA_HTML” returned 1,048 instances worldwide as of October 21, 2025. Country distribution was led by the United States, China, and India; the United States showed 409 observed instances.
To narrow to your organization or your supply chain, combine filters such as org, country, and port(443) to locate specific assets. Once a portal is identified, assess responses, banners, and headers at the representative paths below to measure exposure and potential impact:
/OA_HTML/AppsLogin/OA_HTML/portal.jsp/OA_HTML/configurator/UiServlet
One IP observed via Criminal IP had a Critical inbound risk score, three open ports, and returned EBS-related responses on port 8020. That host had 12 CVEs recorded and two confirmed exploitation incidents, illustrating an environment where an attacker could chain multiple vulnerabilities to achieve initial access → privilege escalation → data exfiltration.
Criminal IP Hacking Group Monitoring: Clop-like Activity
Recent zero-day exploitation campaigns against EBS have been attributed to organized groups that specialize in chaining zero-day vulnerabilities. Activity consistent with Clop-style ransomware and data exfiltration groups has been observed. For enterprise customers, the Criminal IP Hacking Group module aggregates actor timelines, operating regions, and the latest CIP News onto a single dashboard. Even when direct attribution to a specific group is not confirmed, this view—together with IOCs (indicators of compromise), IOAs (indicators of attack), and supporting references—is useful for reprioritizing defensive measures.
Recommended Actions
- Patch
Apply the vendor fixes listed in the security advisory as the top priority. Pre-patch mitigations are temporary measures only. - Minimize Internet Exposure
Place EBS (especially OA_HTML/Configurator endpoints) behind VPNs or authenticated proxies and restrict access to required source IPs. - Harden Front-End Protections
At the reverse proxy/WAF layer, block or challenge anomalous methods/parameters directed atUiServletandSyncServlet. Where feasible, add an authentication layer (header-based, SSO) to the affected endpoints. - Log-Based Inspection
Aggregate and analyze web, proxy/WAF, and application error logs dating from mid-July through the present. Focus on UiServlet/SyncServlet request patterns, high-volume retrievals, session reuse, and abnormal behavior from default accounts such asapplmgr. If suspicious activity is found, follow escalation steps: invalidate sessions/tokens, rotate secrets, and perform correlation between internal access and external exfiltration paths. - Reduce Functionality
Minimize Configurator privileges and data scope; disable unused features where possible. - Continuous Monitoring
Automate scans for the above titles/paths on 7/14/30-day cycles to detect new exposures and configuration changes.
FAQ
Q1. Is CVE-2025-61884 less dangerous because it is not an RCE?
No. Though it differs from remote code execution in nature, the risk should not be underestimated. When combined with an initial access vector such as an RCE (e.g., CVE-2025-61882), it enables a realistic chain: initial access → privilege expansion → sensitive data collection and exfiltration.
Q2. Is applying the patch enough?
Patch deployment is essential and the first step, but patches alone may not remove the risk of re-exposure, bypass, or detection-evasion. Implement a defense-in-depth strategy incorporating patching, access controls, WAF rules, and continuous monitoring.
Conclusion
CVE-2025-61884 permits unauthenticated access to configuration data in Oracle EBS’s Runtime UI. Response priorities are clear: apply patches → eliminate external exposure → conduct log forensics → rotate secrets → enable sustained monitoring. Using Criminal IP’s title/path–based detection provides a consistent method to check both internal assets and supply-chain exposure.
In relation to this, you can refer to Oracle WebLogic Server Vulnerability CVE-2020-2883: A 5-Year Threat to Server Control.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Sources: Criminal IP (https://www.criminalip.io/), Help Net Security (https://www.helpnetsecurity.com/2025/10/12/another-remotely-exploitable-오라클-ebs-vulnerability-requires-your-attention-cve-2025-61884/), The Register (https://www.theregister.com/2025/10/14/오라클_rushes_out_another_emergency/), DailySecu (https://www.dailysecu.com/news/articleView.html?idxno=201262)
Related Article: https://www.criminalip.io/knowledge-hub/blog/24595