Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data.
The vulnerability, tracked as CVE-2025-61884, carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14.
“Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD). “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”
In a standalone alert, Oracle said the flaw is remotely exploitable without requiring any authentication, making it crucial that users apply the update as soon as possible. The company, however, makes no mention of it being exploited in the wild.
Oracle’s Chief Security Officer, Rob Duhart, pointed out that the vulnerability affects “some deployments” of E-Business Suite and that it could be weaponized to allow access to sensitive resources.
The development comes shortly after Google Threat Intelligence Group (GTIG) and Mandiant disclosed that dozens of organizations may have been impacted following the zero-day exploitation of CVE-2025-61882 in Oracle’s E-Business Suite (EBS) software.
The attacks have been found to leverage the vulnerability to trigger two different payload chains, dropping malware families like GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE.
While the tech giant did not specifically attribute the activity to a specific named threat actor or group, it’s believed that the attackers are orchestrated by a hacking group with ties to the Cl0p ransomware crew.
Zander Work, senior security engineer at GTIG, told The Hacker News that they have observed evidence that both the “/OA_HTML/configurator/UiServlet” (observed in July 2025) and “/OA_HTML/SyncServlet”-related exploit chains (observed in August 2025) have been exploited in the wild as a zero-day. It’s worth noting that CVE-2025-61882 addresses the leaked exploit chain targeting the UiServlet component.
“At this time, we are not able to attribute any specific exploitation activity to a specific actor, but it’s likely that at least some of the exploitation activity we observed was conducted by actors now conducting Cl0p-branded operations,” Work said.
