CVE-2025-61884

HIGH KEV RANSOMWARE NUCLEI

Oracle Configurator < 12.2.14 - SSRF

Title source: rule

Description

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Exploits (4)

github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/Oracle_E_Business-CVE-2025-61884-SSRF.py
github WORKING POC 4 stars
by halilkirazkaya · poc
https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2025/CVE-2025-61884.md
github SCANNER
by siddu7575 · poc
https://github.com/siddu7575/CVE-2025-61882-CVE-2025-61884

Nuclei Templates (1)

Oracle E-Business Suite - Server-Side Request Forgery
HIGHVERIFIEDby Kazgangap
FOFA: title="E-Business Suite"

References (4)

Scores

CVSS v3 7.5
EPSS 0.6080
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CISA KEV 2025-10-20
VulnCheck KEV 2025-10-20
ENISA EUVD EUVD-2025-33878
Ransomware Use Confirmed
CWE
CWE-93 CWE-22 CWE-501 CWE-287 CWE-918 CWE-444
Status published
Products (1)
oracle/configurator 12.2.3 - 12.2.14
Published Oct 12, 2025
KEV Added Oct 20, 2025
Tracked Since Feb 18, 2026