Critical Oracle EBS Flaw Could Expose Sensitive Data

Critical Oracle EBS Flaw Could Expose Sensitive Data

Critical Oracle EBS Flaw Could Expose Sensitive Data

Image: Envato/GroundPicture

Oracle patches a high-severity EBS flaw that could let attackers bypass authentication and access sensitive enterprise data.

Écrit par
Ken Underhill
Ken Underhill
Oct 13, 2025

Oracle has released a patch for a severe vulnerability in its E-Business Suite (EBS) that could allow unauthenticated attackers to remotely access sensitive configuration data.

The flaw carries a high severity rating with a CVSS score of 7.5.

“If successfully exploited, this vulnerability may allow access to sensitive resources,” Oracle said in its recent advisory.

Recent attacks highlight ongoing risk for Oracle EBS users

CVE-2025-61884 poses a threat to enterprises running Oracle E-Business Suite, which supports essential functions like finance, manufacturing, and supply chain management.

If exploited, the flaw could let attackers skip authentication entirely and access sensitive business data.

The patch announcement follows a recent wave of extortion emails sent to executives at dozens of organizations, claiming that threat actors had stolen data from their EBS instances.

A different vulnerability, CVE-2025-61882, was likely exploited in that attack.

How the Oracle EBS vulnerability works

According to Oracle’s disclosure, the vulnerability resides in the Runtime UI of Oracle Configurator, a module used to manage product and service configurations within EBS.

It can be exploited remotely over HTTP — without authentication or user interaction — making it especially dangerous for internet-facing deployments.

The issue stems from an authentication bypass in how the Configurator Runtime UI validates user sessions.

Successful exploitation could allow attackers to retrieve configuration or system data without credentials. Because it primarily impacts confidentiality, Oracle has classified the vulnerability as a potential data exfiltration vector rather than a denial-of-service risk (DoS).

Oracle rates the flaw as network-accessible and of low complexity, meaning that attackers can exploit it without requiring privilege escalation or insider access.

Advertisement

Building a layered defense

Effective response requires not only immediate fixes but also strategic improvements to access control. Organizations should start with the following key steps:

  • Apply patches: Install the latest patch to ensure all systems are up to date.
  • Harden legacy systems: Migrate from unsupported or outdated versions and apply configuration hardening baselines to reduce exposure.
  • Restrict and segment access: Limit HTTP and network access to administrative interfaces through segmentation, VPN restrictions, and firewall rules aligned with zero-trust principles.
  • Monitor and log activity: Enable detailed logging and alerting for unusual authentication or HTTP activity.
  • Review credentials and integrations: Enforce least privilege and multi-factor authentication (MFA) for admin accounts, and audit all connected APIs, middleware, and third-party integrations.
  • Strengthen resilience and response: Conduct regular vulnerability scans, maintain secure offline backups, and update incident response plans to address enterprise resource planning (ERP) specific threats.

By combining immediate remediation with long-term access control improvements, organizations can better defend against evolving threats

While Oracle has not stated if it has observed active exploitation, organizations are encouraged to act preemptively.

Previous zero-day exploitation of CVE-2025-61882 led to data theft campaigns linked to financially motivated groups such as FIN11, which has previously leveraged the Cl0p ransomware in large-scale supply chain attacks.

ERP platforms remain prime targets for threat actors

The recent vulnerability of Oracle EBS highlights the persistent challenges in securing complex enterprise resource planning (ERP) systems.

These platforms — often containing vast stores of financial, operational, and customer data — remain high-value targets for attackers seeking maximum leverage.

Even with robust patch management programs in place, zero-day vulnerabilities and delayed updates can still leave organizations vulnerable.

As threat actors increasingly exploit ERP systems for data extortion rather than disruption, maintaining rigorous patch hygiene and continuous monitoring remains essential.

Editor’s note: This article first appeared on our sister publication, eSecurityPlanet.com.

Speaking of vulnerabilities, did you know that a recent investigation found that OpenAI models can be tricked into handing out instructions for creating explosives and chemical weapons? OpenAI said they addressed the issue, but anxiety lingers.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.