October 14, 2025 By Lawrence Abrams
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group.
The flaw was addressed with an out-of-band security update released over the weekend, which Oracle said could be used to access “sensitive resources.”
"This Security Alert addresses vulnerability CVE-2025-61884 in Oracle E-Business Suite," reads Oracle's advisory.
"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources."
However, Oracle did not disclose that the flaw was actively exploited in attacks or that a public exploit had been released.
Multiple researchers, customers, and BleepingComputer have confirmed that the security update for CVE-2025-61884 now addresses the pre-authentication Server-Side Request Forgery (SSRF) flaw used by the leaked exploit.
BleepingComputer reached out to Oracle more than six times for comment about the updates and the lack of disclosure regarding active exploitation, but received either no reply or they declined to comment.
