PT-2025-41705 · Oracle · Oracle Configurator

Published

2025-10-12

·

Updated

2025-10-15

·

CVE-2025-61884

CVSS v3.1
7.5
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.2.3 through 12.2.14
Description An easily exploitable vulnerability exists in the Oracle Configurator product of Oracle E-Business Suite, specifically within the Runtime UI component. This flaw allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful exploitation can lead to unauthorized access to critical data or complete access to all Oracle Configurator accessible data. Reports indicate that similar vulnerabilities have been exploited by Cl0p-linked actors, and a proof-of-concept exploit has been publicly leaked by the ShinyHunters group. Approximately 18,900 vulnerable instances have been identified. The vulnerability is remotely exploitable without authentication, meaning no username or password is required for exploitation.
Recommendations Apply the security updates or mitigations provided by Oracle as soon as possible for all affected versions.

Fix

Related Identifiers

CVE-2025-61884

Affected Products

Oracle Configurator