Overview
- Tracked as CVE-2025-61884, the Runtime UI/Configurator vulnerability is remotely exploitable without authentication and can expose sensitive resources.
- The flaw carries a CVSS score of 7.5 and affects Oracle E‑Business Suite versions 12.2.3 through 12.2.14, with Oracle noting it impacts some deployments.
- Researchers and affected customers say this weekend’s update closes the pre-auth SSRF targeted by a publicly leaked UiServlet exploit, though Oracle has not confirmed in-the-wild use.
- Oracle has not linked CVE-2025-61884 to the recent extortion and data-theft activity tied by researchers to other EBS bugs, including CVE-2025-61882 that targeted the /OA_HTML/SyncServlet path.
- Security guidance urges rapid patching, installation of all recent EBS updates, and, if updates must be deferred, use of mod_security rules to block /configurator/UiServlet and proactive threat hunting on internet-facing instances.