The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Oracle's E-Business Suite to its Known Exploited Vulnerabilities catalog, confirming it is being actively exploited in attacks. The flaw, identified as CVE-2025-61884, is a server-side request forgery (SSRF) issue in the Oracle Configurator component that can be exploited by a remote attacker without authentication to access sensitive data. This vulnerability poses a significant threat to organizations that use the widely deployed E-Business Suite. The active exploitation of this flaw could allow attackers to bypass network controls and access internal services, leading to potential data exfiltration and deeper network penetration. Following the confirmation of active exploitation, CISA has mandated that federal agencies must apply Oracle's security patches or implement mitigations by November 10, 2025.