Oracle had initially disclosed the vulnerability earlier this month, though without providing any details about exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a vulnerability impacting Oracle E-Business Suite customers has seen exploitation in ransomware attacks.
The vulnerability — tracked as CVE-2025-61884 — is separate from the flaw recently linked to a widespread data extortion campaign targeting E-Business Suite customers.
[Related: Google Says Oracle EBS Extortion Campaign Possibly Targeted Thousands, Could Date Back To July]
In an advisory Monday, CISA added CVE-2025-61884 to its catalog of vulnerabilities known to have been exploited by threat actors.
Oracle had initially disclosed the vulnerability on Oct. 11, though without providing any details about exploitation. CRN has reached out to Oracle for comment.
In the entry into the vulnerabilities catalog about the flaw, CISA confirmed that the server-side request forgery vulnerability affecting E-Business Suite is known to have been utilized in ransomware campaigns.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA wrote in its advisory, requiring federal agencies to implement fixes for the issue by Nov. 10.
While the order only applies to Federal Civilian Executive Branch agencies, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [such] vulnerabilities as part of their vulnerability management practice,” the agency said.
The flaw has received a severity score of 7.5 out of 10.0, making it a high-severity issue.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle wrote in its advisory Oct. 11. “If successfully exploited, this vulnerability may allow access to sensitive resources.”
Patches are available for the impacted versions of E-Business Suite (versions 12.2.3-12.2.14), Oracle has said.
According to a report from BleepingComputer, the vulnerability is believed to have been exploited in a July cyberattack campaign.
The widespread data extortion campaign targeting Oracle E-Business Suite customers, meanwhile, is believed to have occurred in August, according to BleepingComputer. Those attacks had exploited a critical-severity vulnerability in E-Business Suite tracked as CVE-2025-61882.
That campaign — which involved data theft followed by extortion emails sent to a number of organizations — has been linked to the cybercriminal group Clop by researchers at Google Cloud-owned Mandiant and the Google Threat Intelligence Group.
