CISA has confirmed that an Oracle E-Business Suite flaw tracked as CVE-2025–61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

BleepingComputer previously reported that CVE-2025–61884 is an unauthenticated server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, which was linked to a leaked exploit used in July attacks.

The US cybersecurity agency is now requiring federal agencies to patch the security vulnerability by November 10, 2025.