CVE-2025-61884
CVE-2025-61884 is a high-severity vulnerability in Oracle Configurator with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-10-20). The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 98% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-10-20)
- EU (EUVD) id: EUVD-2025-33878
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-10-20)
- Weakness: CWE-22
- Affected product: Oracle Configurator
- Published:
- Last modified:
Description
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2025-61884: Oracle Configurator Runtime UI Path Traversal (CWE-22)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2025-61884 |
| Product | Oracle Configurator (Oracle E-Business Suite) |
| Component | Runtime UI |
| Affected Versions | 12.2.3 – 12.2.14 |
| CVSS 3.1 | 7.5 (HIGH) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| EPSS | 97.58% (0.97582) |
| KEV | Yes — CISA KEV (added 2025-10-20); EUVD-2025-33878 |
| CWE | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) |
Summary
CVE-2025-61884 is an easily exploitable vulnerability in Oracle Configurator, a component of Oracle E-Business Suite. An unauthenticated attacker with network access can exploit the Runtime UI via HTTP to compromise the application and gain unauthorized access to critical data. The vulnerability has been actively exploited in the wild since October 2025.
Background
Oracle Configurator is a core component of Oracle E-Business Suite that enables product configuration and guided selling. The Runtime UI is the user-facing interface through which end users interact with configured products. As part of the Oracle E-Business Suite ecosystem, this component is typically exposed to internal networks and, in some deployments, to the internet. Oracle addressed this vulnerability in its July 2025 Critical Patch Update (CPU).
Root Cause
The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The Runtime UI fails to properly validate or sanitize input paths, allowing an attacker to traverse the filesystem and access files outside the intended directory. This improper path validation enables unauthorized read access to sensitive data stored on the application server or underlying operating system.
Impact
With a CVSS 3.1 Base Score of 7.5 (HIGH), the vulnerability poses a significant confidentiality risk:
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | Unauthenticated |
| User Interaction | None | No user action needed |
| Scope | Unchanged | Impact limited to vulnerable component |
| Confidentiality | High | Total data access possible |
| Integrity | None | No direct integrity impact |
| Availability | None | No direct availability impact |
Successful exploitation can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.
Exploitation Walkthrough
Ethics Caveat: This section is provided for defensive awareness only. The information is intended to help security teams understand attack surface and detection opportunities, not to enable unauthorized access.
An unauthenticated attacker sends crafted HTTP requests to the Runtime UI endpoint. Due to insufficient path validation in the application, the attacker can manipulate directory traversal sequences (e.g., ../) to access files outside the web root. Typical targets include configuration files, log files, or other sensitive assets stored on the server. Because the attack requires no authentication or user interaction, it can be automated and scaled across exposed instances.
Affected and Patched Versions
- Affected: Oracle Configurator 12.2.3 through 12.2.14
- Patched: Oracle addressed this in the July 2025 Critical Patch Update (CPU). Organizations should apply the specific patch referenced in Oracle Security Alert CVE-2025-61884.
Remediation
- Apply Oracle Patch: Install the July 2025 CPU patch for Oracle Configurator as soon as possible.
- Compensating Controls: If patching is delayed, restrict network access to the Runtime UI to authorized administrative hosts only. Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences in HTTP requests.
- Verify Configuration: Ensure that the Oracle Configurator application server does not run with unnecessary privileges and that sensitive files are stored outside the web-accessible directories.
Detection
Monitor HTTP access logs for unusual request patterns targeting the Runtime UI, especially:
- Requests containing path traversal sequences (
../,%2e%2e%2f, encoded variants) - Unauthenticated access attempts to non-standard file paths
- Abnormal response sizes or status codes indicating successful file reads
Correlate with intrusion detection systems (IDS) and security information and event management (SIEM) platforms to identify potential exploitation attempts.
Assessment
With an EPSS score of 97.58% and confirmed inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog and EUVD-2025-33878, this vulnerability carries an exceptionally high probability of in-the-wild exploitation. The low attack complexity and lack of authentication requirements make it a prime target for automated exploitation.
Key Lessons:
- Path traversal vulnerabilities in web-facing components remain a critical attack vector, especially when unauthenticated access is possible.
- Active exploitation data (KEV, EPSS) should be weighted heavily in vulnerability prioritization, even when the CVSS score does not reach the critical threshold.
References
- https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
- https://blogs.oracle.com/security/post/apply-july-2025-cpu
- https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884
Frequently asked questions
- What is CVE-2025-61884?
- Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
- How severe is CVE-2025-61884?
- CVE-2025-61884 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2025-61884 being actively exploited?
- Yes. CVE-2025-61884 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-10-20, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-61884?
- CVE-2025-61884 affects Oracle Configurator. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-61884?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-61884 have an EU (EUVD) identifier?
- Yes. CVE-2025-61884 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-33878. It is also flagged as exploited in the EUVD (since 2025-10-20).
- When was CVE-2025-61884 published?
- CVE-2025-61884 was published on 2025-10-12 and last updated on 2026-06-17.
References
- https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
- https://blogs.oracle.com/security/post/apply-july-2025-cpu
- https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884
Affected products (1)
- cpe:2.3:a:oracle:configurator:*:*:*:*:*:*:*:*
More vulnerabilities in Oracle Configurator
- CVE-2021-2080 — High (CVSS 8.2): Vulnerability in the Oracle Configurator product of Oracle Supply Chain (component: UI Servlet). Supported versions…
- CVE-2021-2079 — High (CVSS 8.2): Vulnerability in the Oracle Configurator product of Oracle Supply Chain (component: UI Servlet). Supported versions…
- CVE-2021-2078 — High (CVSS 8.2): Vulnerability in the Oracle Configurator product of Oracle Supply Chain (component: UI Servlet). Supported versions…
- CVE-2020-14669 — High (CVSS 8.2): Vulnerability in the Oracle Configurator product of Oracle Supply Chain (component: UI Servlet). Supported versions…
- CVE-2016-3438 — High (CVSS 8.2): Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1, and…
- CVE-2022-21255 — High (CVSS 8.1): Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: UI Servlet). Supported versions…
All CVEs affecting Oracle Configurator →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…