The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical flaw in Oracle E-Business Suite following reports of active exploitation.
The vulnerability, tracked as CVE-2025-61884, poses significant risks to organisations using the widely deployed enterprise resource planning software. It allows remote attackers to compromise Oracle Configurator without authentication, potentially granting access to sensitive data or complete control over all Oracle Configurator–accessible information.
Oracle Configurator is a tool designed to automate product configuration and streamline complex ordering processes.
Last week, Harvard University confirmed it had been targeted in the Oracle EBS campaign, saying the incident affected “a limited number of parties associated with a small administrative unit.”
Envoy Air, a subsidiary of American Airlines, also said it fell victim to the same vulnerability.
Threat intelligence researchers believe that dozens of organisations worldwide may have been targeted in related attacks.
