Share
## https://sploitus.com/exploit?id=28CCEEBB-21D6-5D50-8527-B5E5EEE1F7E9
# ๐Ÿšจ CVE-2025-61884 โ€” High-Risk Oracle EBS Configurator Info Disclosure

## *๐ŸŒก๏ธ CVEโ€‘2025โ€‘61884 โ€” At a Glance*

```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘ CVE: CVE-2025-61884       โ–ช Severity: HIGH (Info Disclosure)   โ•‘
โ•‘ Product: Oracle E-Business Suite โ€” Configurator Runtime UI     โ•‘
โ•‘ Impact: Unauthorized access to business/configuration data     โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```

|        โš™๏ธ Field | ๐Ÿ“Œ Summary                                                                      |
| --------------: | :------------------------------------------------------------------------------ |
|          CVE ID | **CVE-2025-61884**                                                              |
|        Severity | High (CVSS ~7.5) โ€” unauthenticated info disclosure                              |
|        Affected | Oracle EBS 12.2.3 โ€“ 12.2.14 (Configurator Runtime UI)                           |
|   Attack Vector | Network (HTTP), no credentials needed                                           |
| Typical Outcome | Unauthorized access to configuration/business data, potential follow-on attacks |

---

# ๐Ÿ”ฌ What it *is*

> An unauthenticated attacker can craft HTTP requests to the Runtime UI, causing Oracle Configurator to return sensitive configuration or business data that should not be exposed.

```
[ Attacker ]
     โ”‚ crafted HTTP requests
     โ–ผ
[ Oracle Configurator Runtime UI ]
     โ”‚ returns sensitive config/business data
     โ–ผ
[ Data disclosed to attacker ]
```

---

# ๐Ÿงฉ Exploit Building Blocks



* ๐Ÿ”— SSRF-style requests (target internal API endpoints)
* ๐Ÿ” Missing authentication / access checks
* ๐Ÿ“„ Endpoint returns sensitive config/business LOBs
* ๐Ÿ›ก๏ธ Exposure can enable follow-on attacks or data exfiltration

---

# ๐Ÿ•ต๏ธโ€โ™€๏ธ Indicators of Compromise (IOCs)

| ๐Ÿ”Ž Category | ๐Ÿ”” Example                                                         |
| ----------- | ------------------------------------------------------------------ |
| Network     | Requests to Configurator Runtime UI from external/unexpected IPs   |
| HTTP        | Unusual query parameters, large response bodies, repeated probes   |
| App logs    | Successful unauthenticated access returning configuration payloads |
| DB          | Unexpected reads of configurator tables/LOBs                       |
| Files       | Exported JSON/XML files with sensitive configuration data          |

---

# ๐Ÿ›  Detection & Forensics

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ DETECTION STEPS โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ 1) Review HTTP access logs for Configurator Runtime UI calls.    โ”‚
โ”‚ 2) Inspect app logs for unauthenticated responses returning      โ”‚
โ”‚    configuration payloads.                                       โ”‚
โ”‚ 3) Monitor outbound flows for exfiltration patterns.             โ”‚
โ”‚ 4) Query DB audit logs for reads of configurator tables/LOBs.    โ”‚
โ”‚ 5) Snapshot systems before remediation if compromise suspected.  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

# ๐Ÿ›ก Mitigation & Response Playbook

**Immediate (0โ€“24h)**

* Apply Oracle emergency patch for CVEโ€‘2025โ€‘61884
* Restrict access to Runtime UI endpoints (IP allowlist / firewall / VPN)
* Strengthen logging and capture HTTP access for review

**Short Term (1โ€“7 days)**

* Hunt using IOC checklist; block offending IPs
* Limit application privileges; rotate credentials if compromise suspected
* Enable alerting on anomalous read patterns

**Medium Term (1โ€“4 weeks)**

* Fully patch & validate in staging
* Rebuild compromised hosts if exfiltration detected
* External penetration test / purple-team exercise

**Long Term**

* Network segmentation for public vs internal tiers
* Harden input validation / WAF tuned for EBS Runtime UI
* Maintain automated patch & vulnerability management

---

# ๐Ÿงพ Quick Hunting Commands

```
# Logs: filter for Runtime UI accesses
grep -i "configurator\|runtimeui" /var/log/httpd/access_log

# App logs: search for config payloads
grep -R --binary-files=text -E "config|configuration|attribute|property" /u01/oracle/inst

# DB audit: find reads of configurator tables
SELECT user_name, sql_text, timestamp
FROM dba_audit_trail
WHERE sql_text LIKE '%CONFIGURATOR%' AND timestamp > sysdate - 7;
```

---

# โš–๏ธ Risk & Impact

* ๐Ÿ”ฅ Probability: High for internet-accessible EBS Runtime UI
* ๐Ÿ’ฅ Impact: High โ€” exposure of sensitive config/business data; follow-on attacks possible
* ๐Ÿšจ Action: Patch + restrict access + hunt immediately

---

# โœ… Action Summary

1. **Patch** Oracle EBS immediately (emergency update)
2. **Restrict access** to Runtime UI endpoints if patching is delayed
3. **Hunt & remediate** using IOCs and logs for unauthorized data access

---