Over the weekend, Oracle informed customers about the existence and patch for CVE-2025-61884, but has not yet confirmed whether the flaw was actively exploited in the recent attacks
Oracle has announced the immediate availability of a patch for another severe E-Business Suite (EBS) vulnerability, a disclosure that comes amidst an ongoing investigation into widespread extortion attempts against EBS customers.
The newly patched flaw, tracked as CVE-2025-61884, has been assigned a ‘high severity’ rating. According to Oracle’s advisory, the vulnerability is found within the Runtime UI component of Oracle Configurator. Critically, it can be exploited remotely by an attacker without requiring authentication or user interaction, posing a direct threat to sensitive organizational data.
Context Of Exploitation
The patching of CVE-2025-61884 arrives just two weeks after executives at dozens of organisations received threatening extortion emails. These messages claimed that sensitive information had been stolen from their respective EBS instances.
While Oracle initially attributed the attacks to vulnerabilities patched in July 2025, the company later conceded that a separate zero-day flaw, tracked as CVE-2025-61882, was also likely leveraged by the attackers.
Over the weekend, Oracle informed customers about the existence and patch for CVE-2025-61884, but has not yet confirmed whether the flaw was actively exploited in the recent attacks. It is possible the vulnerability was discovered during the internal investigation into CVE-2025-61882.
Rob Duhart, the CSO of Oracle, emphasized the danger of the new vulnerability, stating that if successfully exploited, it “may allow access to sensitive resources” in affected EBS deployments.
Attribution Battle & Sophisticated Malware
The full scope of the recent attacks remains unclear, particularly regarding which specific CVEs and vulnerability combinations were utilized.
Furthermore, the identity of the threat actor is contested. The initial extortion claims were falsely made under the name of the notorious Cl0p group. However, analysis by the Google Threat Intelligence Group (GTIG) and Mandiant has established multiple links to the cybercrime group FIN11. FIN11 has a history of using Cl0p ransomware in certain operations, but a definitive, confident attribution for the recent EBS breaches is still pending.
Regardless of attribution, the attackers employed sophisticated malware to achieve their objectives. Given that FIN11 and Cl0p-linked campaigns have historically resulted in the mass theft of sensitive data from clients of services like MOVEit, Fortra, and Accellion, the belief that significant amounts of data were stolen from the EBS victims is not surprising.
Affected organizations are urged to apply the patch for CVE-2025-61884 immediately to secure their EBS environments.