CVE-2025-61884 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application owners, incident response teams, vulnerability management teams, and cloud/security operations staff responsible for systems that use or expose Oracle E-Business Suite.

Technical summary

The vulnerability is identified as an SSRF issue in Oracle E-Business Suite. The supplied official sources do not provide additional technical details beyond the vulnerability class, but CISA's KEV listing confirms known exploitation and references Oracle's security alert for vendor guidance.

Defensive priority

Urgent. This CVE is on CISA's Known Exploited Vulnerabilities catalog, was added on 2025-10-20, and has a mitigation due date of 2025-11-10 in the supplied KEV metadata.

Recommended defensive actions

• Review Oracle's security alert for CVE-2025-61884 and apply the vendor-recommended mitigations.
• Meet the CISA KEV mitigation due date of 2025-11-10.
• If mitigations are unavailable, discontinue use of the product as directed in the CISA KEV guidance.
• If the product is used in cloud services, follow applicable BOD 22-01 guidance.
• Verify which Oracle E-Business Suite instances are in scope and prioritize remediation for any exposed or business-critical deployments.

Evidence notes

The supplied CISA KEV metadata identifies CVE-2025-61884 as an Oracle E-Business Suite SSRF vulnerability, with dateAdded 2025-10-20, dueDate 2025-11-10, and knownRansomwareCampaignUse set to Known. The KEV notes reference Oracle's security alert for this CVE and the NVD entry as official reference points.

Official resources