CVE-2025-61884HIGH 7.5CISA KEVEPSS p99.9%
CVE-2025-61884Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
Oracle / E-Business Suite
Description
Oracle E-Business Suite contains a server-side request forgery (SSRF) vulnerability in the Runtime component of Oracle Configurator. This vulnerability is remotely exploitable without authentication.
Scoring
| CVSS 3.1 | 7.5 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| EPSS | 97.58% probability of exploitation · percentile 99.9% · 2026-06-17T12:03:21Z |
| Published | 2025-10-12 |
| Last modified | 2025-10-27 |
CISA KEV entry
Added to KEV: 2025-10-20
Underlying weaknesses· 6
References
- https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
- https://blogs.oracle.com/security/post/apply-july-2025-cpu
- https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61884
6
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-22 | 0% | live |
| Weakness | Improper Authenticationcwe-287 | 0% | live |
| Weakness | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')cwe-444 | 0% | live |
| Weakness | Trust Boundary Violationcwe-501 | 0% | live |
| Weakness | Server-Side Request Forgery (SSRF)cwe-918 | 0% | live |
| Weakness | Improper Neutralization of CRLF Sequences ('CRLF Injection')cwe-93 | 0% | live |
(incoming)1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| KEVEntry | Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerabilitykev-cve-2025-61884 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.