The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a critical server-side request forgery (SSRF) flaw in Oracle E-Business Suite, tracked as CVE-2025-61884, has been actively exploited in the wild. The agency added the flaw to its Known Exploited Vulnerabilities catalog and has issued an emergency directive requiring federal agencies to apply Oracle’s fixes by November 10, 2025.
Initial Exploit Activity Traced to Leaked Proof-of-Concept and Multiple Campaign Timelines
Investigators trace the earliest exploitation to a proof-of-concept exploit that leaked publicly in early October. Security firms analyzing the activity say the leak enabled at least one July campaign that targeted the Oracle Configurator “UiServlet” endpoint, which is now confirmed as CVE-2025-61884. A separate August campaign used a different exploit chain against the SyncServlet endpoint, later mitigated under a separate advisory.
Those dual campaigns changed the threat calculus: an initial, targeted abuse of the UiServlet SSRF vector appears to have been broadened after the exploit code was publicly disclosed. Incident responders reported that extortion actors used access obtained through those vulnerabilities to threaten organizations with data theft and extortion attempts.
“The leaked exploit enabled attackers to weaponize an SSRF chain against Oracle E-Business Suite installations, turning a single misconfiguration into a data-theft vector.”
— Senior incident responder familiar with the investigations
Technical Mechanics of the Vulnerability and How Oracle’s Patch Addresses It
CVE-2025-61884 is an unauthenticated SSRF issue in the Oracle Configurator runtime component. In practice, the flaw lets a remote actor submit crafted requests that cause the server to issue internal network requests or expose internal resources. Exploitation can yield unauthorized access to data reachable from the affected application context and, in the hands of skilled operators, can support lateral movement inside enterprise networks.
Oracle’s remediation for the UiServlet chain implements stricter validation of an attacker-controlled return_url parameter. The patch enforces a regular expression check to ensure supplied URLs conform to allowed patterns; requests that fail validation are blocked. Oracle also shipped other mitigations and configuration guidance that harden the Configurator component and the affected servlet endpoints.
Evidence from Threat Intelligence Firms Shows Two Distinct Adversary Patterns and Extortion Follow-Up
Multiple threat intelligence providers report two distinct exploit waves. The July activity used the UiServlet SSRF chain and coincided with targeted reconnaissance and data exfiltration attempts. The August activity exploited a separate endpoint and was linked to extortion communications sent by a known ransomware-associated group. Analysts conclude the operations were opportunistic once exploit code circulated beyond the original operators.
Post-exploit activity frequently included emailing victim organizations with claims of stolen E-Business Suite data, followed by demands for payment or publication threats. While CISA has so far not published detailed incident data for individual victims, its inclusion of the vulnerability in the Known Exploited Vulnerabilities list reflects confirmed abuse and the high likelihood of follow-on extortion campaigns.
Urgent Mitigation Steps Organizations Must Take Beyond Patching
CISA’s directive targets federal agencies, but security teams in private industry should treat the issue with equal urgency. Recommended actions include: apply Oracle’s released patches immediately; review web application firewall and mod_security rules to block the specific servlet endpoints if immediate patching is infeasible; validate input sanitization for any integration points that accept external return URLs; and monitor application logs for anomalous outbound requests or unusual parameter values that match SSRF patterns.
Network defenders should prioritize segmentation to limit what an application can reach internally, enable strict egress filtering, and inspect abnormal internal HTTP requests which may signal attempted SSRF exploitation. Incident response teams should search for lateral movement indicators and unusual data access originating from E-Business Suite hosts.
Why This Matters for Enterprise ERP Security and Patch Management Posture
Enterprise resource planning systems like Oracle E-Business Suite often possess deep, privileged access to financial, HR, and operational data. SSRF flaws that let attackers coerce servers into accessing internal resources can expose exactly those sensitive assets. The rapid weaponization of a leaked proof-of-concept underscores a recurring pattern: once exploit code is public, attackers quickly adapt it for broad scans and opportunistic intrusions.
CISA’s emergency directive and the subsequent security community analyses should serve as a signal to accelerate patch cadence for high-risk enterprise applications and to expand testing of external-facing servlet endpoints for unexpected parameter handling. Organizations should also reassess their vulnerability disclosure monitoring and threat intelligence ingestion so leaked exploits are detected and triaged faster.
As investigations continue, defenders will be watching for additional indicators of compromise and for any secondary malware deployments tied to these intrusion campaigns. In the meantime, immediate application of Oracle’s patch and conservative hardening of servlet endpoints remain the most effective defenses.
