CVE-2025-61884

HIGH KEV RANSOMWARE NUCLEI

Oracle Configurator 12.2.3-12.2.14 - Unauthenticated CRLF Injection via Runtime UI

Title source: llm

Exploitation Summary

CVE-2025-61884 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 20, 2025, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including iSee857, halilkirazkaya, siddu7575. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2026-22812, targeting OpenCode for remote command execution (RCE). The script establishes a session, then executes the 'id' command via a crafted JSON payload to the '/session/{id}/shell' endpoint, confirming vulnerability by checking for 'uid=' and 'gid=' in the response.

Description

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Exploits (3)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/Oracle_E_Business-CVE-2025-61884-SSRF.py

View Code ZIP pw:eip

The repository contains a functional exploit PoC for CVE-2026-22812, targeting OpenCode for remote command execution (RCE). The script establishes a session, then executes the 'id' command via a crafted JSON payload to the '/session/{id}/shell' endpoint, confirming vulnerability by checking for 'uid=' and 'gid=' in the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCode (version not specified)

No auth needed

Prerequisites: Network access to the target · OpenCode service running and accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2025/CVE-2025-61884.md

View Code ZIP pw:eip

This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes specific HTTP requests or commands to exploit the respective vulnerabilities.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Various (WordPress plugins, QNAP Photo Station, IBM Data Risk Manager, etc.)

No auth needed

Prerequisites: Network access to the target system · Specific software versions as listed in each CVE

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github SCANNER

by siddu7575 · poc

https://github.com/siddu7575/CVE-2025-61882-CVE-2025-61884

View Code ZIP pw:eip

The repository contains Nuclei templates for detecting CVE-2025-61882 and CVE-2025-61884 in Oracle E-Business Suite by checking the 'Last-Modified' header and version comparison. No exploit code is present, only detection logic.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Oracle E-Business Suite

No auth needed

Prerequisites: Network access to the target Oracle E-Business Suite instance

MITRE ATT&CK

T1595.002 - Vulnerability Scanning

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Oracle E-Business Suite - Server-Side Request Forgery

HIGHVERIFIEDby Kazgangap

FOFA: title="E-Business Suite"

References (4)

Core 4

Core References

Vendor Advisory vendor-advisory

https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

Vendor Advisory

https://blogs.oracle.com/security/post/apply-july-2025-cpu

Exploit, Press/Media Coverage

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884

Scores

CVSS v3 7.5

EPSS 0.5108

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2025-10-20

VulnCheck KEV 2025-10-20

ENISA EUVD EUVD-2025-33878

Ransomware Use Confirmed

CWE

CWE-93 CWE-22 CWE-501 CWE-287 CWE-918 CWE-444

Status published

Products (1)

oracle/configurator 12.2.3 - 12.2.14

Published Oct 12, 2025

KEV Added Oct 20, 2025

Tracked Since Feb 18, 2026