CVE-2025-61884

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.oracle.com/security-alerts/alert-cve-2025-61884.html	Vendor Advisory
https://blogs.oracle.com/security/post/apply-july-2025-cpu	Vendor Advisory
https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/	Exploit Press/Media Coverage
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:oracle:configurator:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-10-12 03:15

Updated : 2025-10-27 17:08

NVD link : CVE-2025-61884

Mitre link : CVE-2025-61884

CVE.ORG link : CVE-2025-61884

JSON object : View

Products Affected

oracle

configurator

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-287

Improper Authentication

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-501

Trust Boundary Violation

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2025-61884", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-10-12T03:15:34.720", "references": [{"url": "https://www.oracle.com/security-alerts/alert-cve-2025-61884.html", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://blogs.oracle.com/security/post/apply-july-2025-cpu", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/", "tags": ["Exploit", "Press/Media Coverage"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884", "tags": ["US Government Resource"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-93"}, {"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-444"}, {"lang": "en", "value": "CWE-501"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."}], "lastModified": "2025-10-27T17:08:49.037", "cisaActionDue": "2025-11-10", "cisaExploitAdd": "2025-10-20", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:configurator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CC0EA09-3974-4A14-8724-27020AECB5A8", "versionEndIncluding": "12.2.14", "versionStartIncluding": "12.2.3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability"}