Oracle E-Business Suite Zero-Day Exploited for Remote Code Execution and Data Theft
Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Envoy Air confirms Oracle EBS data compromise
Envoy Air, an American Airlines subsidiary, confirmed a data compromise involving its Oracle E-Business Suite application after Clop listed American Airlines on its leak site. The company said some business information and commercial contact details were exposed, but no sensitive or customer data was affected.
AlphaHunt links CL0P/FIN11 to in-memory Oracle EBS intrusions
AlphaHunt published technical analysis describing CL0P/FIN11 tradecraft in Oracle E-Business Suite compromises, including in-memory execution and delayed extortion. The report added technical detail to how the campaign operated.
Imperva says customers were protected against Oracle EBS zero-day RCE
Imperva published analysis stating its customers were protected against the critical Oracle E-Business Suite zero-day remote code execution flaw tracked as CVE-2025-61882. The post publicly documented defensive coverage for the vulnerability.
Oracle silently patches exploited Oracle EBS vulnerabilities
Oracle released fixes for the exploited Oracle E-Business Suite zero-days, including CVE-2025-61882 and CVE-2025-61884, without a prominent public disclosure. Later reporting described the fixes as addressing exploits tied to the Clop campaign and a leaked exploit associated with ShinyHunters/Shiny Lapsus$ Hunters.
Clop exploits Oracle E-Business Suite zero-days in attacks
Security firms CrowdStrike and Mandiant confirmed that the Clop/FIN11 threat actor was exploiting Oracle E-Business Suite zero-day vulnerabilities, including CVE-2025-61882, in a broader data-theft and extortion campaign. The activity was identified in early August 2025 and affected dozens of organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
American Airlines subsidiary Envoy confirms Oracle data theft attack
bleepingcomputer.com
Open sourceOracle silently fixes zero-day exploit leaked by ShinyHunters
databreaches.net
Open sourceCL0P/FIN11 Go In-Memory on Oracle EBS — The Extortion Comes Later
blog.alphahunt.io
Open sourceOracles silently fixes zero-day exploit leaked by ShinyHunters
bleepingcomputer.com
Open sourceOracle silently fixes zero-day exploit leaked by ShinyHunters
bleepingcomputer.com
Open sourceCVE-2025-61882: Imperva Customers Protected Against Critical Oracle EBS Zero-Day RCE
imperva.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerability in Oracle E-Business Suite Exploited by Clop Ransomware
Oracle E-Business Suite (EBS) was found to contain a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, which has been actively exploited in the wild. The flaw resides in the Oracle Concurrent Processing component, specifically within the BI Publisher Integration, and carries a CVSS base score of 9.8 due to its unauthenticated and easily exploitable nature. Attackers can leverage this vulnerability to execute arbitrary code remotely without requiring valid credentials, posing a severe risk to organizations running affected EBS versions. Oracle confirmed that versions 12.2.3 through 12.2.14 are impacted by this vulnerability. The company released an emergency security update to address the issue, but customers must first apply the October 2023 Critical Patch Update before deploying the new fix. The vulnerability was exploited by the Clop ransomware group in a series of data theft attacks in August 2025, resulting in significant data exfiltration from multiple victims. Mandiant's CTO, Charles Carmakal, confirmed that Clop leveraged both this zero-day and other previously patched vulnerabilities in their campaign. Oracle's advisory included indicators of compromise that matched exploit details shared by threat actors on Telegram, highlighting the public availability of exploit information. The exploitation of this flaw underscores the importance of timely patch management, especially for business-critical applications like Oracle EBS. Oracle has urged all customers to prioritize the application of the latest patches to mitigate the risk of further exploitation. The incident demonstrates the increasing trend of ransomware groups targeting enterprise software vulnerabilities for large-scale data theft. Security researchers have emphasized the need for organizations to monitor for signs of compromise and to review their EBS deployments for unauthorized activity. The rapid release of a security alert and patch by Oracle reflects the urgency and severity of the threat posed by CVE-2025-61882. Organizations are advised to follow Oracle's remediation guidance closely and to remain vigilant for related threat activity. The incident has raised concerns about the security posture of widely used ERP platforms and the potential for future exploitation of similar vulnerabilities. The Clop attacks serve as a reminder that threat actors are adept at chaining multiple vulnerabilities to maximize impact. This event highlights the criticality of maintaining up-to-date security controls and monitoring for exploitation attempts targeting high-value enterprise systems.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploitation and Emergency Patching
Oracle E-Business Suite (EBS) has been the target of a sophisticated cyberattack campaign exploiting multiple zero-day vulnerabilities, resulting in significant data breaches and prompting an urgent security response. According to reports, dozens of organizations have been impacted by the exploitation of a critical flaw in Oracle EBS, tracked as CVE-2025-61882, which has been actively used by threat actors since at least August 2025. The attackers leveraged a chain of vulnerabilities, including CVE-2025-61882 and a newly disclosed CVE-2025-61884, to gain unauthorized access to sensitive data and deploy various malware payloads such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. The Clop ransomware group has been linked to these attacks, using the vulnerabilities to breach networks, exfiltrate data, and extort victims. Oracle responded by releasing an emergency patch for CVE-2025-61884, which affects EBS versions 12.2.3 to 12.2.14, warning that the flaw could be exploited remotely by unauthenticated attackers to steal sensitive information. Security researchers from CrowdStrike observed that Clop had been exploiting CVE-2025-61882 as a zero-day since early August, and other threat groups may have joined the campaign. The vulnerabilities allow attackers to achieve remote code execution and information disclosure, posing a severe risk to organizations running affected EBS versions. Oracle strongly advised customers to apply the emergency updates or mitigations immediately to prevent further exploitation. The attacks have resulted in the exfiltration of large volumes of sensitive data, including financial documents, employee IDs, contracts, and internal reports, with some organizations facing significant operational disruptions and potential financial losses. The campaign demonstrates the increasing sophistication of ransomware and extortion groups, who are now chaining multiple vulnerabilities and targeting widely used enterprise platforms. Security experts have emphasized the importance of timely patching, robust monitoring, and incident response planning to mitigate the risks associated with zero-day exploitation. The incident also highlights the need for organizations to review their exposure to third-party software vulnerabilities and strengthen their supply chain security posture. Oracle's rapid release of emergency patches underscores the critical nature of the threat and the ongoing arms race between software vendors and cybercriminals. The exploitation of Oracle EBS zero-days is part of a broader trend of attackers targeting business-critical applications to maximize impact and leverage for extortion. Organizations are urged to remain vigilant, monitor for signs of compromise, and ensure that all security updates are applied without delay. The incident serves as a stark reminder of the persistent threat posed by advanced cybercriminal groups and the necessity of proactive cybersecurity measures in the face of evolving attack techniques.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited by Cl0p in Mass Extortion Campaign
Cl0p ransomware operators launched a widespread extortion campaign targeting Oracle E-Business Suite (EBS) customers by exploiting a previously unknown zero-day vulnerability, later assigned CVE-2024-61882. The campaign began as early as July or August, with Google's threat intelligence team tracking the exploitation weeks before Oracle became aware of the issue. Attackers leveraged the vulnerability to gain unauthorized access to EBS environments, deploying sophisticated multi-stage Java-based implants such as GOLDVEIN, SAGEGIFT, and SAGEWAVE. These implants operated entirely in memory, making detection difficult, and communicated with command-and-control servers using traffic disguised as legitimate TLS handshakes. The payloads were stored directly in the EBS database, and attackers used compromised third-party email services to facilitate their operations. Once data was exfiltrated, Cl0p initiated mass extortion by sending emails to executives, threatening to release stolen information unless a ransom was paid. The attack pattern mirrored previous Cl0p campaigns, notably the MOVEit mass exploitation, indicating a strategic focus on widely used enterprise applications. Oracle responded by releasing emergency patches on October 4th, but by that time, many organizations had already suffered breaches and data theft. The campaign highlighted the risks associated with delayed vulnerability disclosure and patching in critical business applications. Security researchers emphasized the technical sophistication of the implants, which were designed to evade traditional endpoint detection and response (EDR) solutions. The incident underscored the importance of proactive threat intelligence and rapid patch management for organizations relying on Oracle EBS. Industry observers noted that the campaign's scale and impact were significant, with numerous enterprises affected globally. The use of in-memory implants and stealthy C2 communications represented an evolution in Cl0p's tactics, making incident response and forensic analysis more challenging. The attack also raised concerns about the security of third-party integrations and the broader supply chain within enterprise environments. Oracle's emergency response included not only patches but also guidance for detecting signs of compromise and mitigating further risk. The event served as a stark reminder of the persistent threat posed by ransomware groups targeting high-value enterprise software platforms. Organizations were urged to review their security posture, monitor for unusual activity in EBS environments, and apply patches without delay. The campaign's exposure prompted renewed calls for improved collaboration between software vendors, threat intelligence teams, and end users to reduce the window of opportunity for attackers.
Mar 21, 2026