E-Business Suite: Oracle secures software again out-of-band

Ransomware extortion attempts targeting users of Oracle's E-Business Suite were recently made public. The attackers' entry point: the critically rated zero-day security vulnerability CVE-2025-61882 (CVSS score 9.8), which allowed remote code execution. Oracle subsequently released an emergency update to patch the vulnerable E-Business versions.

The company has now found another vulnerability and has once again provided an out-of-band security patch. The vulnerability CVE-2025-61884 has been assigned a CVSS score of “high” (CVSS score 7.5).

As with its “predecessor,” E-Business Suite versions 12.2.3 through 12.2.14 are vulnerable. Details and links to the update are provided by Oracle's security advisory for CVE-2025-61884. Users of the vulnerable versions should also apply this (independent) patch as soon as possible, according to Oracle's recommendation.

Update & stay vigilant

The lower risk classification compared to CVE-2025-61882 and the fact that CVE-2025-61884 likely does not allow direct code execution should not lull users into a false sense of security. After all, according to Oracle, the vulnerability can be exploited by remote, unauthenticated attackers under certain conditions to access sensitive data. This could make it quite interesting for extortionist attackers who like to combine multiple vulnerabilities.

Nothing is yet known about active attacks or exploit code for CVE-2025-61884, unlike for CVE-2025-61882, which is circulating in the wild.

Given that current extortion attempts affect hundreds, if not thousands, of companies according to estimates by Google's security experts, users of the E-Business Suite should generally remain vigilant. It is not unlikely that Oracle will patch and publicize further vulnerabilities during current code analyses—and that cybercriminals will also be looking for related attack possibilities.

(ovw)