Full Report
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. [...]
Analysis Summary
# Vulnerability: Oracle E-Business Suite Unauthenticated SSRF Fixed After Exploit Leak
## CVE Details
- CVE ID: CVE-2025-61884
- CVSS Score: N/A (Severity not explicitly provided in the context, but confirmed as actively exploited)
- CWE: Server-Side Request Forgery (SSRF)
## Affected Systems
- Products: Oracle E-Business Suite (EBS)
- Versions: Not explicitly listed, but affected versions are those prior to the out-of-band security update addressing this specific flaw.
- Configurations: N/A
## Vulnerability Description
CVE-2025-61884 is a vulnerability in Oracle E-Business Suite that functions as a pre-authentication Server-Side Request Forgery (SSRF) flaw. If successfully exploited, it allows remote attackers to access sensitive resources without needing any credentials (authentication). This flaw was publicly weaponized by the ShinyHunters group via a leaked proof-of-concept exploit targeting the `/configurator/UiServlet` endpoint as part of a larger attack chain (which may include elements related to CVE-2025-61882).
## Exploitation
- Status: Actively exploited in the wild (confirmed by breaches and subsequent public exploit leak by ShinyHunters).
- Complexity: Low (Remotely exploitable without authentication).
- Attack Vector: Network
## Impact
- Confidentiality: Access to sensitive resources.
- Integrity: Potential for further impact via related exploitation chains.
- Availability: Not explicitly detailed, but unauthorized access and potential request manipulation pose a risk.
## Remediation
### Patches
- Oracle released an out-of-band security update over the weekend (prior to Oct 14, 2025) specifically addressing CVE-2025-61884. The patch implements validation on the attacker-supplied "`return_url`" using a strict regular expression, blocking injected CRLF sequences.
- **Action:** Install the latest security updates from Oracle addressing CVE-2025-61884.
### Workarounds
- If patching is not immediately possible, add a new **mod_security rule** that specifically blocks all access to the `/configurator/UiServlet` endpoint to mitigate the SSRF component until the patch can be applied.
## Detection
- **Indicators of Compromise (IOCs):** The attack vector involves targeting the `/configurator/UiServlet` endpoint.
- **Detection methods and tools:** Monitoring web application traffic, particularly requests directed at `/configurator/UiServlet`, for anomalies or injections targeting the `return_url` field. Application firewalls (like mod\_security) should be configured with appropriate rules to block suspicious traffic patterns.
## References
- Oracle Security Alert for CVE-2025-61884 (URL defanged: `hXXps://www.oracle.com/security-alerts/alert-cve-2025-61884.html`)
- WatchTowr Labs write-up for technical details (URL defanged: `hXXps://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/`)