Oracle E-Business Suite Zero-Day Vulnerability (CVE-2025-61882)

THE THREAT

On October 4th, 2025 Oracle released a security advisory addressing a critical, zero-day vulnerability impacted its E-Business Suite (EBS), identified during their investigation into the recently disclosed extortion campaign targeting EBS customers. CVE-2025-61882 (CVSS: 9.8) resides within the Oracle Concurrent Processing component's BI Publisher Integration in the EBS. It allows an unauthenticated attacker with network access via HTTP to potentially compromise the Concurrent Processing product. If successfully exploited, this flaw could enable an attacker to gain complete control over the product, thereby facilitating Remote Code Execution (RCE).

Oracle released the advisory following Google Threat Intelligence Group's (GTIG) disclosure about an extortion email campaign likely tied to the CLOP (aka Cl0p, FIN11, TA505) data theft and extortion group. Although the CLOP threat actor group is suspected to be responsible for the campaign, claims have emerged from another group known as the Scattered LAPSUS$ Hunters group. They shared the Proof-of-Concept (PoC) exploit code publicly on Telegram, stating their exploit code was leaked and sold to CLOP.

Given the active exploitation of CVE-2025-61882, involvement of a well-known extortion threat group, and public availability of the PoC exploit code, it is critical that organizations apply the relevant security patches immediately and upgrade to Oracle EBS's latest secure version.

What we're doing about it

• eSentire's Managed Vulnerability Service (MVS) will soon have plugins to identify devices vulnerable to CVE-2025-61882
• eSentire Threat Response Unit (TRU) is conducting threat hunting using the provided Indicators of Compromise (IoCs)
• eSentire MDR for Network has detections in place to identify CVE-2025-61882 exploitation activity
• eSentire's Threat Response Unit (TRU) is actively tracking this topic for additional detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches released by Oracle to mitigate CVE-2025-61882
  • According to Oracle's advisory, installation of October 2023 Critical Patch Update is a prerequisite for application of the security updates

Additional information

Researchers from GTIG identified a "high-volume extortion campaign," observing extortion emails dated around September 29th, 2025. These emails, which were sent to executives from various organizations, alleged that the threat actor had breached their Oracle EBS systems and exfiltrated sensitive data. GTIG uncovered connections between the extortion campaign and the CLOP threat actor group. This group is well-known for conducting extortion campaigns by leveraging compromised email accounts. At least one email address associated with the group was identified from the observed extortion note.

Shortly after GTIG's update, Oracle verified the legitimacy of the extortion campaign, indicating that vulnerabilities from their July patch release had been exploited. However, the specific vulnerabilities involved were not disclosed. On October 4th, 2025, Oracle disclosed that CVE-2025-61882 had been exploited in the extortion campaign and released patches for the vulnerability. The flaw is classified as a low attack complexity vulnerability that does not require any user interaction, meaning it can easily be exploited remotely without the need for authentication. Oracle's advisory also provides a list of IoCs that were observed during the investigation into the extortion campaign.

Google Mandiant's Chief Technology Officer, Charles Carmakal stated that the CLOP group exploited vulnerabilities in Oracle EBS in August 2025. These vulnerabilities include the ones patched in July 2025 as well as CVE-2025-61882. Although no confirmation around exploited vulnerabilities from the July patch release has been provided, among the disclosed vulnerabilities there are three that can be exploited remotely, CVE-2025-30745, CVE-2025-30746, and CVE-2025-50107.

Despite the Scattered LAPSUS$ Hunters group's claims that the CLOP group stole their exploit, there is concern that the two groups might be collaborating to execute a widespread extortion campaign. The Scattered LAPSUS$ Hunters group has indicated their intention to target Oracle EBS with another exploit, which they claim to be a "better chained version that exploits EBS".

As the PoC exploit code for CVE-2025-61882 is publicly available, it is highly likely that other threat actors will target the vulnerable instances in the near future. Given the criticality of CVE-2025-61882, the widespread scope of the extortion campaign, and publicly available PoC exploit code, it is recommended that the organizations patch the flaw and other potentially exploited vulnerabilities to mitigate the risk of exploitation. Organizations that have received the extortion emails are encouraged to investigate potential breaches, report extortion attempts to law enforcement, and avoid paying ransom demands, as payment does not guarantee that threat actors will delete stolen data.

Impacted Versions List:

• Oracle E-Business Suite versions 12.2.3-12.2.14

References:

[1] https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-61882
[3] https://www.cyber.gc.ca/en/guidance/profile-ta505-cl0p-ransomware
[4] https://www.resecurity.com/blog/article/trinity-of-chaos-the-lapsus-shinyhunters-and-scattered-spider-alliance-embarks-on-global-cybercrime-spree
[5] https://www.linkedin.com/posts/austin-larsen_threatintelligence-cybersecurity-clop-activity-7379316941762727936-h8sR/
[6] https://www.linkedin.com/feed/update/urn:li:activity:7379498157208027136/
[7] https://nvd.nist.gov/vuln/detail/CVE-2025-30745
[8] https://nvd.nist.gov/vuln/detail/CVE-2025-30746
[9] https://nvd.nist.gov/vuln/detail/CVE-2025-50107