Deploy Emergency Patch for Zero-Day Flaw, Hunt for Signs of Intrusion, Warn Experts
Oracle has patched a zero-day vulnerability in Oracle E-Business Suite being exploited in the wild. Security experts are urging all EBS-using organizations to install the update as quickly as possible, following its ongoing exploitation for more than a month.
See Also: When Identity Protection Fails: Rethinking Resilience for a Modern Threat Landscape
The critical vulnerability, assigned CVE-2025-61882, has a CVSS score of 9.8, reflecting that it “is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” says Oracle’s security alert, first issued Saturday and subsequently updated. “If successfully exploited, this vulnerability may result in remote code execution.”
Security experts warned that any organization that exposes its Oracle E-Business Suite to the internet is at high risk of having already been exploited. One or more ransomware-wielding groups may already have been targeting CVE-2025-61882 and other already known and patched – aka n-day – vulnerabilities, since at least August.
The vulnerability exists in the BI Publisher Integration component in the Oracle Concurrent Processing product, is “easily exploitable” and “allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing,” said the U.S. National Vulnerability Database.
The CVE-2025-61882 vulnerability is present in the still-supported versions 12.2.3 to 12.2.14 of Oracle E-Business Suite, and may exist too in older, no-longer-supported versions. “It is likely that earlier versions of affected releases are also affected by these vulnerabilities,” Oracle said. “As a result, Oracle recommends that customers upgrade to supported versions.”
The release of the company’s patch for the zero-day flaw on Saturday came just two days after Oracle Security CSO Rob Duhart told customers that it suspected attackers were exploiting “previously identified vulnerabilities that are addressed in the July 2025 critical patch update” that victims had not yet patched (see: Oracle Sees No Zero-Day Exploits Tied to Customer Extortion).
After further investigation, Oracle said it suspected not only those flaws but also the zero-day vulnerability has been exploited. “We strongly recommend Oracle E-Business Suite (EBS) customers apply the guidance provided by this Security Alert as soon as possible,” Duhart said in an update to his first assessment.
“Note that the October 2023 Critical Patch Update is a prerequisite for application of the updates in this Security Alert,” Oracle said in its CVE-2025-61882 patch release notes.
Security experts said the vulnerability has been exploited at least by the Clop, aka Cl0p, ransomware group. “Multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle’s July 2025 update as well as one that was patched this weekend – CVE-2025-61882,” said Charles Carmakal, CTO of Google Cloud’s Mandiant incident response group, in a post to LinkedIn.
Since Sept. 29, “Clop has been sending extortion emails to several victims,” Carmakal said. “However, please note they may not have attempted to reach out to all victims yet.”
Security experts report that senior executives at victim organizations have been receiving emails with massive ransom demands, including one for at least $50 million. How many victims may have negotiated down or paid a ransom isn’t yet clear (see: Extortionists Claim Mass Oracle E-Business Suite Data Theft).
“The emails were sent from compromised business email accounts or newly registered accounts but contained authentic contact points with ransomware operators,” as published on Clop’s data-leak site, said threat intelligence firm Resecurity.
Experts recommend not just installing the latest security updates. “Post-compromise, CL0P stages data for extortion or deploys ransomware to disrupt operations,” Resecurity said. “To mitigate this critical threat, organizations should apply the July 2025 patches, disable Java extensions in XSL processing, restrict outbound network traffic and monitor for suspicious HTTP requests or XSL processing errors.”
While CVE-2025-61882 has been a zero-day vulnerability, now that a patch has been released, more attackers will no doubt attempt to compromise it, Mandiant’s Carmakal said. “Given the broad, mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” he said.
Threat intelligence firm watchTowr analyzed a proof-of-concept exploit for CVE-2025-61882 and found that it involves “five distinct bugs orchestrated together to achieve pre-authenticated remote code execution, suggesting that “whoever first discovered these vulnerabilities and chained them clearly knows Oracle EBS incredibly well,” and may have yet more exploitable flaws up their sleeve.
Oracle has released indicators of compromise tied to the attacks, including IP addresses from which attack attempts have been originating, as well as hashes for files used in attacks. These include an inappropriately titled Zip archive that is being dropped on exploited systems, named oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip. That archive contains two malicious Python scripts and is named for the Scattered Lapsus$ Hunters ransomware collective.
The file hashes are “for a suspected leaked exploit script,” and that “it is currently unknown if the leaked exploit script is viable, and whether it leverages CVE-2025-61882 or an older n-day vulnerability,” said cybersecurity firm Rapid7 in a blog post.
“With the leaking of suspected exploit code, broad exploitation by multiple threat actors is highly likely to begin,” Rapid7 said. Accordingly, it recommended all EBS users “update to the latest version of Oracle E-Business Suite on an emergency basis,” as well as “conduct suitable threat hunting to detect any potential malicious activity” for an internet-connected instances.
The apparent exploit code traces to Shiny Lapsus$ Hunters, which early this month on its Telegram channel “publicly released a small exploit bundle and extortion campaign to a wide-running compromise of Oracle E-Business Suite customers.” Rapid7 said the release may be a “dox” for Clop, given that it published not only the exploit code Clop appears to be using against targets, but also threatens to report the rival group to the “RFJ.” This refers to the U.S. State Department’s Rewards for Justice program, which since 2023 has offered a reward of up to $10 million for information that leads to the identification or arrest of Clop members.
“Both collectives seem to be competing with each other, surprising the industry with new massive hacks resulting from large-scale exploitation of vulnerabilities,” Resecurity said (see: Ransomware Group Debuts Salesforce Customer Data Leak Site).
Britain’s national incident response lead, the National Cyber Security Centre, on Monday urged all Oracle E-Business Suite users to perform a “compromise assessment” to see if they’ve already been hacked. If so, report the incident to Oracle’s Product Security Incident Response Team, and if Britain also to the NCSC, it said.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-61882 to its known-exploited vulnerabilities catalog on Monday. CISA set an Oct. 27 deadline for all federal civilian agencies that use the software deadline to either apply the patch or discontinue using Oracle E-Business Suite.