A critical Oracle E-Business Suite zero-day vulnerability has been exploited by the Clop ransomware gang in a wave of data theft attacks, prompting Oracle to issue an emergency patch.
Quick Summary – TLDR:
- CVE-2025-61882 is a severe vulnerability in Oracle EBS with a CVSS score of 9.8, allowing unauthenticated remote code execution.
- The flaw was actively exploited in the wild by the Clop ransomware gang to steal data from several victims.
- Oracle released a patch and shared indicators of compromise (IOCs), confirming the exploitation.
- The exploit was leaked online by a group calling themselves Scattered Lapsus$ Hunters, raising concerns about broader threat actor collaboration.
What Happened?
Oracle confirmed that a critical zero-day vulnerability in its E-Business Suite (EBS), CVE-2025-61882, has been actively exploited in the wild. The vulnerability allows remote attackers to execute arbitrary code without authentication and was used in recent Clop ransomware attacks targeting businesses using Oracle’s platform. Oracle has since issued an emergency patch and urged users to apply updates immediately.
Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks https://t.co/HGuKWrPCYG
— Nicolas Krassas (@Dinosn) October 6, 2025
Vulnerability Details and Immediate Risks
The flaw resides in the Oracle Concurrent Processing component of EBS, specifically in the BI Publisher Integration, and affects versions 12.2.3 through 12.2.14. Oracle rated the bug a 9.8 on the CVSS scale, the highest severity, due to the potential for unauthenticated remote code execution over HTTP.
According to Oracle’s advisory:
Security experts warned that the vulnerability was already being exploited before a patch was available, qualifying it as a true zero-day. Indicators of compromise shared by Oracle include two suspicious IP addresses, bash reverse shell commands, and references to leaked exploit files.
Clop’s Extortion Campaign and the Data Theft
The Clop ransomware group claimed responsibility for exploiting this zero-day to breach Oracle EBS systems and exfiltrate sensitive data. Victim companies reportedly received extortion emails threatening to leak stolen information unless ransoms were paid.
In one such email, Clop stated, “We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.”
Clop’s history includes high-profile zero-day exploits in platforms like Accellion, MOVEit, GoAnywhere, and Cleo. In this case, Clop appears to have worked with or had its exploit shared by a new group dubbed Scattered Lapsus$ Hunters, who published the exploit archive publicly on Telegram.
Exploit Tools and Leak Confirmation
Security researchers confirmed that an exploit archive titled oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip was part of the indicators of compromise listed by Oracle. This archive contained Python scripts (exp.py and server.py) capable of opening reverse shells and executing arbitrary commands on vulnerable EBS instances.
Mandiant CTO Charles Carmakal confirmed the flaw’s exploitation, stating:
He also highlighted that attackers used both previously patched vulnerabilities from Oracle’s July 2025 update and this newly disclosed zero-day.
Oracle’s Response and Mitigation
Oracle moved quickly by releasing a Security Alert Advisory and patching CVE-2025-61882. However, the fix requires that customers have already installed the October 2023 Critical Patch Update.
The company also clarified that while they initially referenced vulnerabilities from the July 2025 Critical Patch Update as possible attack vectors, they have since updated their guidance to focus solely on CVE-2025-61882.
Oracle strongly advises all customers using EBS to:
- Apply the latest patch immediately.
- Review their systems for signs of compromise.
- Monitor network traffic for suspicious activity from the identified IP addresses.
SQ Magazine’s Takeaway
I have to say, this incident is a serious wake-up call for any organization still dragging its feet on applying updates. Oracle EBS is a critical business tool, and vulnerabilities like CVE-2025-61882, especially when exploited before disclosure, pose a massive risk. Clop’s ability to move quickly and use multiple vulnerabilities shows that no delay in patching is acceptable anymore. Even if you patch today, you might already be compromised. So go check your logs, audit your traffic, and don’t assume a fix means you’re in the clear.
