Oracle has issued a critical warning regarding a zero-day vulnerability in its E-Business Suite, identified as CVE-2025-61882. This flaw allows attackers to execute remote code without authentication, posing a significant risk to users.
Details of the Vulnerability
The CVE-2025-61882 vulnerability is tied to the Oracle Concurrent Processing product within the E-Business Suite, specifically the BI Publisher Integration component. This security flaw has a CVSS base score of 9.8, indicating its severity and ease of exploitation. It can be exploited via a network without requiring a username or password.
Oracle’s Response
In response to this threat, Oracle has released an emergency security update. Customers are instructed to install the October 2023 Critical Patch Update prior to applying this new security update to effectively mitigate the vulnerability.
Active Exploitation and Impact
This vulnerability has been linked to data theft activities by the Clop ransomware gang. Charles Carmakal, CTO of Mandiant—Google Cloud, confirmed that this flaw was utilized in attacks that occurred in August 2025. The gang was able to exploit multiple vulnerabilities, including CVE-2025-61882, to steal substantial data from various organizations.
- Vulnerability ID: CVE-2025-61882
- CVSS Base Score: 9.8
- Affected Versions: Oracle E-Business Suite versions 12.2.3 through 12.2.14
Clop’s Extortion Campaign
Recently, reports surfaced about Clop’s latest campaign, which involved sending email threats to numerous companies. These emails claimed that Clop had compromised their Oracle E-Business Suite and threatened to leak sensitive data unless a ransom was paid.
Clop’s emails emphasized their reputation and the extent of their breach, mentioning the theft of critical information and documents. In their communications, Clop made it clear that they had exploited Oracle’s zero-day vulnerability as part of their operations.
Indicators of Compromise
Oracle has shared several indicators of compromise (IoCs) associated with this zero-day exploit. These include:
- IP addresses correlated with exploit attempts
- Commands used to open remote shells
- Files related to the exploit shared on Telegram
Leaked Exploit Files
The zero-day vulnerability was first highlighted by a different group known as the “Scattered Lapsus$ Hunters.” This group leaked files pertaining to the exploit and indicated a connection to the vulnerabilities utilized by Clop.
Among the leaked materials was an archive titled “ORACLE_EBS_NDAY_EXPLOIT_POC_SCATTERED_LAPSUS_RETARD_CL0P_HUNTERS.zip,” which contained scripts for exploiting vulnerable Oracle E-Business Suite instances. This archive has been confirmed to align with Oracle’s identified IoCs.
The rise of exploit sharing among these groups raises questions about potential collaborations between them, and how access to sensitive exploits was achieved. For organizations using Oracle’s products, it is crucial to act promptly to secure their systems against this significant vulnerability.
