Oracle over the weekend announced the availability of a patch for another severe E-Business Suite (EBS) vulnerability that can be exploited to gain access to sensitive data.
The newly patched flaw is tracked as CVE-2025-61884 and it has been assigned a ‘high severity’ rating. According to Oracle’s advisory, it impacts the Runtime UI component of Oracle Configurator and it can be exploited remotely without authentication and without requiring user interaction.
The disclosure and patching of CVE-2025-61884 comes roughly two weeks after executives at dozens of organizations received extortion emails claiming that sensitive information had been stolen from their EBS instance.
Oracle initially said the attacks exploited vulnerabilities patched in July 2025. It later admitted that a zero-day tracked as CVE-2025-61882 was also likely exploited.
Over the weekend, Oracle informed customers about CVE-2025-61884, but has not said whether it has been exploited. It’s possible that CVE-2025-61884 was discovered during the investigation into CVE-2025-61882 and it may be exploited in similar attacks, but it hasn’t actually been used in the wild.
“[CVE-2025-61884] affects some deployments of Oracle E-Business Suite,” said Rob Duhart, the CSO of Oracle. “If successfully exploited, this vulnerability may allow access to sensitive resources.”
On the other hand, it’s still unclear exactly which CVEs and CVE combinations have been exploited in the recent attack.
The attacks targeting Oracle EBS customers were claimed by the Cl0p group (likely due to its reputation), but Google Threat Intelligence Group (GTIG) and Mandiant have found multiple links to the FIN11 cybercrime group, which has been known to use the Cl0p ransomware in some of its attacks. However, GTIG and Mandiant have yet to confidently attribute the attack to a specific threat group.
In addition to exploiting vulnerabilities, the threat actors used sophisticated malware to achieve their goals.
The hackers are believed to have stolen significant amounts of data from some of the victims, which is not surprising. Previous large-scale campaigns linked to FIN11 and Cl0p resulted in the theft of sensitive information from Cleo, MOVEit, Fortra and Accellion file transfer products customers.
Related: Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign
Related: The Y2K38 Bug Is a Vulnerability, Not Just a Date Problem, Researchers Warn
Related: All SonicWall Cloud Backup Users Had Firewall Configurations Stolen
