├── CVE-2025-61884.yaml ├── CVE-2025-61884.py └── README.md /CVE-2025-61884.yaml: -------------------------------------------------------------------------------- 1 | id: CVE-2025-61884 2 | 3 | info: 4 | name: Detection for CVE-2025-61884 5 | author: Blackash 6 | severity: high 7 | description: | 8 | This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources. 9 | metadata: 10 | shodan-query: html:"OA_HTML" 11 | tags: detect,oracle,ebusiness-suite 12 | 13 | http: 14 | - method: GET 15 | path: 16 | - "{{BaseURL}}" 17 | 18 | extractors: 19 | - type: dsl 20 | name: last_modified_date 21 | dsl: 22 | - last_modified 23 | 24 | - type: dsl 25 | name: date_unix 26 | internal: true 27 | dsl: 28 | - 'to_unix_time(last_modified, "Mon, 02 Jan 2006 15:04:05 MST")' 29 | 30 | matchers-condition: and 31 | matchers: 32 | - type: word 33 | words: 34 | - "E-Business Suite Home Page" 35 | part: body 36 | 37 | - type: dsl 38 | dsl: 39 | - compare_versions(date_unix, "< 1760198400") 40 | 41 | - type: status 42 | status: 43 | - 200 44 | -------------------------------------------------------------------------------- /CVE-2025-61884.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | """ 3 | Educational PoC for CVE-2025-61884: Oracle E-Business Suite Configurator Runtime UI Information Disclosure. 4 | - Detects vulnerable endpoint exposure via benign HTTP request. 5 | - For authorized testing only. Do not use on unauthorized systems. 6 | - References: Oracle Security Alert, watchTowr Labs analysis. 7 | """ 8 | 9 | import argparse 10 | import requests 11 | from urllib.parse import urljoin 12 | import sys 13 | 14 | def check_vulnerability(target_url): 15 | """ 16 | Sends a detection request to the vulnerable endpoint. 17 | Returns True if potentially vulnerable (200 OK with UI indicators). 18 | """ 19 | # Vulnerable endpoint and benign parameter (safe for demo; no SSRF payload) 20 | endpoint = urljoin(target_url, "/OA_HTML/configurator/UiServlet") 21 | params = { 22 | 'return_url': '/' # Minimal, non-harmful redirect—tests validation bypass without targeting internals 23 | } 24 | 25 | headers = { 26 | 'User-Agent': 'Mozilla/5.0 (Educational PoC Tester)', 27 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' 28 | } 29 | 30 | try: 31 | print(f"[+] Testing endpoint: {endpoint}") 32 | response = requests.get(endpoint, params=params, headers=headers, timeout=10, verify=True) 33 | 34 | print(f"[+] Response Status: {response.status_code}") 35 | print(f"[+] Response Length: {len(response.text)} bytes") 36 | print(f"[+] Response Snippet: {response.text[:200]}...") # Truncated for safety—no full dump 37 | 38 | # Basic indicators of vulnerability (non-error + UI elements) 39 | if response.status_code == 200 and 'Configurator' in response.text: 40 | print("[!] POTENTIALLY VULNERABLE: Endpoint exposed without auth. Apply Oracle patch immediately!") 41 | return True 42 | elif response.status_code in [403, 404]: 43 | print("[-] Not vulnerable or endpoint protected/blocked.") 44 | return False 45 | else: 46 | print("[?] Unexpected response—manual review recommended.") 47 | return False 48 | 49 | except requests.exceptions.RequestException as e: 50 | print(f"[-] Request failed: {e}") 51 | return False 52 | 53 | def main(): 54 | parser = argparse.ArgumentParser(description="Educational PoC for CVE-2025-61884") 55 | parser.add_argument("--target", required=True, help="Target EBS URL (e.g., https://example.com)") 56 | args = parser.parse_args() 57 | 58 | print("=== CVE-2025-61884 Educational PoC ===") 59 | print("WARNING: For lab/testing use only. Patch after testing.\n") 60 | 61 | vulnerable = check_vulnerability(args.target) 62 | 63 | if vulnerable: 64 | print("\n[INFO] Next Steps:\n- Download patch from Oracle Support.\n- Monitor logs for /UiServlet accesses.\n- Consider WAF rules blocking unauth requests to Configurator.") 65 | else: 66 | print("\n[INFO] Target appears safe, but verify with full scan.") 67 | 68 | if __name__ == "__main__": 69 | main() 70 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # **CVE-2025-61884 New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login 💀** 2 | 3 | ## CVE-2025-61884 — Complete summary 🧾💥 4 | 5 | | Field | Details | 6 | | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | 7 | | **Identifier** | CVE-2025-61884 | 8 | | **Product** | Oracle E-Business Suite — **Oracle Configurator (Runtime UI)** | 9 | | **Affected versions** | 12.2.3 → 12.2.14 | 10 | | **Attack vector** | Network (HTTP) — **unauthenticated** access | 11 | | **Impact** | Confidentiality (unauthorized data disclosure) | 12 | | **CVSSv3.1 Base Score** | **7.5 (High)** — `AV:N/AC:L/PR:N/UI:N/C:H/I:N/A:N` | 13 | | **Exploit complexity** | Low / easily exploitable (no authentication required) | 14 | | **Vendor status** | Security alert published; vendor patches/updates available | 15 | | **Public exploit status** | Detection templates and scanning rules published; widely accessible weaponized exploit code not broadly confirmed (but risk is high due to no-auth nature) | 16 | 17 | --- 18 | 19 | ## Plain-English description 🧠✨ 20 | 21 | An unauthenticated remote attacker who can reach the Oracle Configurator **Runtime UI** over HTTP can craft requests that cause the UI to return configuration and business data that should be protected. No user credentials are required to trigger the disclosure, so any network-accessible instance of the vulnerable component could be probed and potentially exfiltrated. 22 | 23 | --- 24 | 25 | ## What can be exposed 🔓 26 | 27 | * Configuration models and metadata served by the Configurator UI 28 | * Business configuration information (may include sensitive business logic, mappings, or identifiers) 29 | * Potentially other UI-exposed data depending on the deployment and what the Configurator is configured to serve 30 | 31 | Note: public descriptions classify the primary impact as *confidentiality/data disclosure*. There are no confirmed public reports of remote code execution (RCE) or data modification tied specifically to this CVE at the time of this summary, but the data exposure alone is serious. 32 | 33 | --- 34 | 35 | ## How attackers detect & exploit it 🕵️‍♂️ 36 | 37 | * **Automated scanners / templates:** Community scanners and templates identify Oracle EBS/Configurator endpoints and probe known vulnerable UI paths. 38 | * **Simple HTTP probes:** Because no authentication is required, attackers can use straightforward GET/POST requests to enumerate and retrieve data. 39 | * **Mass scanning risk:** Internet-facing EBS instances are at higher immediate risk because automated scans can quickly find vulnerable endpoints. 40 | 41 | CVE-2025-61884-1 42 | 43 | usage: -c [-h] --target TARGET 44 | -c: error: the following arguments are required: --target 45 | 46 | **How to Test (Educational Steps)** 47 | 48 | 1. Setup a Safe Lab: Use a VM with vulnerable EBS 12.2.3-12.2.14 (e.g., via Oracle's demo images—never on real data). 49 | 2. Run the PoC: `sudo python3 CVE-2025-61884.py --target https://your-lab-server.com` 50 | 51 | + Expected vulnerable output: Status 200, snippet showing Configurator UI elements. 52 | + Post-patch: Should return 403 or redirect safely. 53 | 54 | 55 | 3. Observe & Learn: 56 | 57 | Use tools like Burp Suite to intercept and modify the `return_url` (e.g., to `http://internal-resource` for SSRF demo—but only in lab). 58 | Review response headers/body for data leakage indicators. 59 | 60 | 4. Mitigation Demo: After running, apply Oracle's one-off patch and re-test to see the fix in action. 61 | --- 62 | 63 | ## Proof-of-concept / public code status ⚠️ 64 | 65 | * Publicly shared detection templates and scanner rules exist (used to detect presence and exposure). 66 | * Fully weaponized, widely adopted exploit scripts for remote takeover have not been broadly confirmed in authoritative exploit repositories as of this summary — but the low complexity and unauthenticated access make exploitation trivial for determined attackers. 67 | 68 | --- 69 | 70 | ## Detection & indicators to hunt for 🔎 71 | 72 | | Type | What to look for | 73 | | --------------------- | --------------------------------------------------------------------------------------------------------------------------------- | 74 | | **Network** | Unexpected unauthenticated HTTP requests to Configurator Runtime UI endpoints from external IPs | 75 | | **Server logs** | Requests returning configuration pages or large dumps of configuration data without prior authentication tokens | 76 | | **Scanning evidence** | Repeated probing patterns typical of automated scanners (sequential requests for UI pages, identical user agents, rapid scanning) | 77 | | **Scanner output** | Nuclei / other detection tool results that flag the presence of EBS Configurator UI responses | 78 | 79 | --- 80 | 81 | ## Mitigation & remediation (actionable) 🛠️ 82 | 83 | **Immediate (highest priority)** 84 | 85 | 1. **Apply vendor patch** for CVE-2025-61884 to affected EBS installations as soon as possible. Patching is the definitive remediation. 86 | 87 | **If you cannot patch immediately** 88 | 2. **Block network access** to the Oracle Configurator Runtime UI from untrusted networks — use firewalls, ACLs, or network segmentation to restrict access to trusted admin IPs or VPN-only. 89 | 3. **Put the endpoint behind a WAF** and add rules to drop or challenge suspicious unauthenticated requests to Configurator UI paths. 90 | 4. **Disable the Runtime UI** if it is not required in your environment, or remove/uninstall the Configurator component where feasible. 91 | 92 | **Monitoring & validation** 93 | 5. **Scan** your perimeter and DMZ with updated detection templates to identify exposed endpoints. 94 | 6. **Increase logging & alerting** on EBS web endpoints; hunt for past unauthenticated accesses and large data responses. 95 | 7. **Re-scan after patching** to validate remediation and review logs for activity in the vulnerable window. 96 | 97 | **Post-incident precautions** 98 | 8. **Rotate any credentials or secrets** that may have been stored in exposed configuration items as an abundance of caution. 99 | 9. **Document findings** and follow your incident response playbook if any data exposure is confirmed. 100 | 101 | --- 102 | 103 | ## Quick playbook (one-page checklist) ✅ 104 | 105 | * [ ] Apply vendor patch for CVE-2025-61884 to affected hosts 106 | * [ ] Immediately block HTTP access to Configurator Runtime UI from untrusted networks 107 | * [ ] Deploy WAF/ACL/VPN protection for the UI endpoint 108 | * [ ] Run updated automated scans across public IPs and internal networks 109 | * [ ] Review logs for unauthenticated data responses; escalate if suspicious 110 | * [ ] After patching, re-scan and confirm no exposed endpoints remain 111 | * [ ] Rotate secrets in exposed configs as precaution 112 | * [ ] Notify stakeholders and prepare communications if exposure confirmed 113 | 114 | --- 115 | 116 | ## Risk assessment — business impact ⚖️ 117 | 118 | * Oracle E-Business Suite commonly stores or exposes sensitive business and financial configuration. Unauthorized disclosure can reveal business logic, configuration that enables lateral movement, or data that aids fraud or industrial espionage. Because the vector requires no credentials, the chance of discovery by attackers is high — treat internet-reachable instances as critical. 119 | 120 | --- 121 | 122 | Which would you like? ✨ 123 | --------------------------------------------------------------------------------