Oracle Configurator - Authentication Bypass (CVE-2025-61884)

CVE-2025-61884 is a vulnerability in Oracle Configurator within Oracle E-Business Suite (versions 12.2.3 to 12.2.14) that allows unauthenticated attackers with network access to compromise the system via HTTP. Exploiting this flaw could grant unauthorized access to sensitive or critical data managed by Oracle Configurator, posing a significant confidentiality risk.

CrowdSec has been tracking this vulnerability and its exploits since 5th of November 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-61884 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-61884 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-61884 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit this vulnerability by sending crafted POST requests to the /OA_HTML/configurator/UiServlet endpoint, embedding external URLs in the return_url parameter to trigger server-side request forgery (SSRF) in Oracle E-Business Suite.