Oracle Configurator - Authentication Bypass (CVE-2025-61884)

CVE-2025-61884 is a vulnerability in Oracle Configurator within Oracle E-Business Suite (versions 12.2.3 to 12.2.14) that allows unauthenticated attackers with network access to compromise the system via HTTP. Exploiting this flaw could grant unauthorized access to sensitive or critical data managed by Oracle Configurator, posing a significant confidentiality risk.

CrowdSec has been tracking this vulnerability and its exploits since 5th of November 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2025-61884 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-61884. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit this vulnerability by sending crafted POST requests to the /OA_HTML/configurator/UiServlet endpoint, embedding external URLs in the return_url parameter to trigger server-side request forgery (SSRF) in Oracle E-Business Suite.