The vulnerability was a pre-authentication Server-Side Request Forgery (SSRF) flaw that could allow attackers to access sensitive resources remotely without authentication, posing a significant security threat.

Multiple security firms confirmed that the leaked exploit targeted the '/configurator/UiServlet' endpoint and could be used for remote code execution, with some evidence suggesting other exploit chains targeting endpoints like '/OA_HTML/SyncServlet'.

Oracle has quietly issued an out-of-band security update to address a critical zero-day vulnerability (CVE-2025-61884) in Oracle E-Business Suite, which was actively exploited and for which a public exploit was leaked by the ShinyHunters extortion group.

Initially, Oracle did not disclose that the vulnerability was actively exploited or that a public exploit was available, raising concerns within the cybersecurity community.

After the recent update, testing indicates that Oracle has fixed the SSRF component of the leaked exploit by validating the 'return_url' parameter and blocking malicious input, though some researchers note that the SSRF still appears to work on unpatched systems.

The situation is complicated by Oracle's lack of detailed disclosure about active exploits and mismatched Indicators of Compromise (IOCs), raising questions about the true scope of the vulnerabilities.

Experts recommend that Oracle E-Business Suite customers install the latest patches and implement additional security measures, such as mod_security rules, until more clarity about the vulnerabilities and exploits is obtained.

The patch released by Oracle on October 4, 2025, addressed CVE-2025-61882, related to earlier exploits, but did not fix the SSRF component associated with CVE-2025-61884, which was exploited by ShinyHunters.