Lawrence Abrams reports:
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group.
The flaw was addressed with an out-of-band security update released over the weekend, which Oracle said could be used to access “sensitive resources.”
“This Security Alert addresses vulnerability CVE-2025-61884 in Oracle E-Business Suite,” reads Oracle’s advisory.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources.”
However, Oracle did not disclose that the flaw was actively exploited in attacks or that a public exploit had been released.
Read more at Bleeping Computer.