Oracle has issued its second emergency security update in less than two weeks for its E-Business Suite (EBS), patching a high-severity information disclosure vulnerability that security experts warn could become the next target for ransomware groups already circling the widely deployed enterprise software.
The company released a security alert on October 11 addressing CVE-2025-61884, a remotely exploitable flaw in the Runtime UI component of Oracle Configurator that affects EBS versions 12.2.3 through 12.2.14. Rated 7.5 on the CVSS severity scale, the vulnerability allows unauthenticated attackers with network access to steal sensitive data without requiring credentials.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle stated in its advisory. “If successfully exploited, this vulnerability may allow access to sensitive resources.”
Oracle has not confirmed if CVE-2025-61884 is being actively exploited in the wild. However, the timing has security professionals on high alert. The patch arrived just one week after Oracle released an emergency fix for CVE-2025-61882, a critical remote code execution flaw that the Cl0p ransomware gang exploited as a zero-day in a mass data theft campaign beginning in August.
“Given historical targeting and the recent Cl0p ransomware activity, threat actors are likely to express interest and attempt exploitation in the near future,” Arctic Wolf, a cybersecurity operations company, warned in its analysis of CVE-2025-61884.
Why ERP systems have become prime targets
That warning reflects a broader pattern that security experts are watching closely. The rapid succession of critical EBS vulnerabilities — two emergency patches in two weeks — signals a fundamental shift in how threat actors target enterprises.
“Back-to-back zero-days in Oracle EBS highlight how threat actors are increasingly targeting high-value enterprise applications that underpin financial and operational workflows,” said Sakshi Grover, senior research manager for cybersecurity services at IDC Asia/Pacific. “These systems are deeply integrated, customized, and difficult to patch quickly, making them attractive targets for exploitation.”
Sunil Varkey, advisor at Beagle Security, argued that the security industry’s historical blind spot around ERP systems has created today’s crisis. “In the past, CISOs saw ERP systems as someone else’s problem, protected by the perimeter, too risky to touch, and too complex to understand,” Varkey said. “ERP systems are no longer isolated. They are now connected to everything: cloud services, supplier portals, e-commerce platforms, and IoT sensors and web-facing components. This has exploded their attack surface.”
The vulnerability affects the same version range as CVE-2025-61882, and organizations running internet-exposed EBS instances face particular risk. Security researchers noted that information disclosure flaws, while less severe than remote code execution vulnerabilities, can provide attackers with reconnaissance data needed to chain multiple exploits together—a technique sophisticated threat actors have demonstrated repeatedly.
“Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible,” Rob Duhart, Oracle’s Chief Security Officer, emphasized in a separate blog post.
Immediate actions for CVE-2025-61884
Oracle has provided patches for CVE-2025-61884 for all affected versions covered under Premier Support or Extended Support. However, security experts warned that patching alone may not be sufficient. The lessons from the recent CVE-2025-61882 attacks show that organizations need to hunt for signs of prior compromise even after applying fixes.
In a detailed technical analysis of the CVE-2025-61882 campaign, Google Threat Intelligence Group and Mandiant outlined specific hunting techniques for EBS environments. The researchers found that threat actors “store payloads directly in the EBS database” and recommended that “administrators should immediately query the XDO_TEMPLATES_B and XDO_LOBS tables to identify malicious templates.”
The Google team also emphasized network-level protections. “The observed Java payloads require outbound connections to C2 servers to fetch second-stage implants or exfiltrate data,” the researchers wrote, recommending organizations “block all non-essential outbound traffic from EBS servers to the internet.”
The Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog with an October 27 deadline for federal agencies. While CVE-2025-61884 has not yet been added to the catalog, organizations should treat both vulnerabilities with equal urgency, given the targeting patterns, experts suggested.
Rethinking ERP security strategy
While immediate patching remains critical, security experts argued that the back-to-back Oracle vulnerabilities signal the need for a fundamental rethinking of how organizations secure business-critical applications.
“Beyond immediate remediation, security leaders should strengthen visibility across third-party dependencies, enforce least privilege within ERP environments, and invest in behavioral analytics to detect abnormal transactions before they cause business disruption,” Grover said. According to IDC’s Asia/Pacific Security Survey 2025, cited by Grover, 26% of enterprises are already driving identity-first security strategies aligned with business applications.
Varkey emphasized that ERP systems must be elevated to critical asset status. “ERP systems should be treated as critical assets with isolation, logging, monitoring, least privileges, segmentation, and zero trust enforcement,” he said. “Security teams should be part of the core governance team and define the security mandates.”
No Responses