Oracle Configurator - Authentication Bypass (CVE-2025-61884)

CVE-2025-61884 is a vulnerability in Oracle Configurator within Oracle E-Business Suite (versions 12.2.3 to 12.2.14) that allows unauthenticated attackers with network access to compromise the system via HTTP. Exploiting this flaw could grant unauthorized access to sensitive or critical data managed by Oracle Configurator, posing a significant confidentiality risk.

CrowdSec has been tracking this vulnerability and its exploits since 5th of November 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-61884 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. In addition, according to the CrowdSec network, attack volume against CVE-2025-61884 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit this vulnerability by sending crafted POST requests to the /OA_HTML/configurator/UiServlet endpoint, embedding external URLs in the return_url parameter to trigger server-side request forgery (SSRF) in Oracle E-Business Suite.