Oracle has quietly released an out-of-band update that fixes a critical vulnerability in Oracle E-Business Suite tracked as CVE 2025 61884 after a proof of concept exploit was leaked by the ShinyHunters extortion group.
Researchers and customers confirm that the update patches a pre-authentication server-side request forgery flaw that was being abused to breach servers.
The flaw allowed unauthenticated access over the network and could be used to reach sensitive resources, Oracle says in its advisory. Multiple security teams found that the patch released over the weekend blocks the SSRF component of the leaked exploit by validating attacker-supplied return URLs and rejecting injected characters. That change stops the exploit vector that was publicly shared and used by some attackers to gain an initial foothold.
This fix comes amid a confusing string of incidents involving several Oracle E-Business Suite flaws. Earlier this month the Clop extortion gang sent ransom and data theft claims tied to an EBS vulnerability that was patched in July 2025. Shortly after, a different actor known as ShinyHunters published an exploit targeting the UiServlet endpoint. Oracle then issued an emergency update on October 4 for CVE 2025 61882 and followed with the more recent update covering CVE 2025 61884.
Security firms have not been fully aligned on which exploit chains map to which CVE, and that created uncertainty for defenders. Mandiant and CrowdStrike published reports that tied activity to a SyncServlet pathway, while watchTowr Labs analyzed the UiServlet exploit released by ShinyHunters. Mandiant now believes systems patched with the October 4 update are likely no longer vulnerable to the known chains, and the weekend update appears to close the SSRF component used by the leaked proof of concept.
If you run Oracle E-Business Suite, install the latest updates immediately. With technical details and exploit code circulating publicly, unpatched systems are at high risk. If you cannot patch right away, add a temporary mod security rule to block access to the configurator UiServlet endpoint to disrupt the SSRF stage of the leaked exploit until you can apply Oracle’s fixes.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Oracle has not explained why its advisories and indicators of compromise sometimes referenced the leaked exploit incorrectly, and several requests for comment from reporters and researchers received no response. That lack of clarity makes it even more important for administrators to apply all recommended patches and follow vendor guidance to protect E Business Suite instances from active exploitation.





