Mass Exploitation of Oracle E-Business Suite Zero-Day Vulnerability
A significant cybersecurity incident has emerged involving the mass exploitation of a previously unknown zero-day vulnerability in Oracle E-Business Suite (EBS). CrowdStrike has identified an active campaign in which threat actors are leveraging this zero-day, now tracked as CVE-2025-61882, to compromise organizations using Oracle EBS. The attackers have targeted a range of organizations, including major enterprises and at least one prominent airline, Envoy Air, which suffered a breach as part of this wave of extortion attempts. The exploitation campaign has raised concerns due to the critical nature of Oracle EBS in managing sensitive business operations, including financials, supply chain, and human resources. Security researchers have highlighted that the attackers are using sophisticated techniques to gain initial access and then move laterally within affected networks. The campaign has prompted urgent advisories from security vendors and researchers, urging organizations to apply patches and review their Oracle EBS deployments for signs of compromise. The incident has also drawn attention to the broader risks posed by supply chain and third-party software vulnerabilities, as attackers increasingly target widely used enterprise platforms. In addition to direct exploitation, there are indications that the attackers may be using stolen credentials and exploiting weak configurations to escalate privileges. The breach at Envoy Air underscores the real-world impact of the campaign, with potential exposure of sensitive data and operational disruption. Security experts have warned that the campaign may not be limited to a single threat actor, as multiple groups could be leveraging the same vulnerability for different objectives, including extortion and data theft. The incident has also reignited debate over the speed and transparency of vulnerability disclosure and patching processes for critical enterprise software. Organizations are being advised to monitor for indicators of compromise, enhance logging and detection around Oracle EBS systems, and coordinate with vendors for timely updates. The campaign is ongoing, and further victims may emerge as investigations continue. This event highlights the persistent threat posed by zero-day vulnerabilities in widely deployed business applications and the need for robust patch management and incident response capabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Story first reported
Initial story creation
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
#258 - Intel Chat: Oracle EBS, Storm-2603, North Korean IT infiltration & LLM poisoning study
securitysenses.com
Open sourceWhat'd I Miss? InfoSec Weekend News Roundup for October 17-19, 2025
sherpaintelligence.substack.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Oracle E-Business Suite Zero-Day Exploitation and Emergency Patching
Oracle E-Business Suite (EBS) has been the target of a sophisticated cyberattack campaign exploiting multiple zero-day vulnerabilities, resulting in significant data breaches and prompting an urgent security response. According to reports, dozens of organizations have been impacted by the exploitation of a critical flaw in Oracle EBS, tracked as CVE-2025-61882, which has been actively used by threat actors since at least August 2025. The attackers leveraged a chain of vulnerabilities, including CVE-2025-61882 and a newly disclosed CVE-2025-61884, to gain unauthorized access to sensitive data and deploy various malware payloads such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. The Clop ransomware group has been linked to these attacks, using the vulnerabilities to breach networks, exfiltrate data, and extort victims. Oracle responded by releasing an emergency patch for CVE-2025-61884, which affects EBS versions 12.2.3 to 12.2.14, warning that the flaw could be exploited remotely by unauthenticated attackers to steal sensitive information. Security researchers from CrowdStrike observed that Clop had been exploiting CVE-2025-61882 as a zero-day since early August, and other threat groups may have joined the campaign. The vulnerabilities allow attackers to achieve remote code execution and information disclosure, posing a severe risk to organizations running affected EBS versions. Oracle strongly advised customers to apply the emergency updates or mitigations immediately to prevent further exploitation. The attacks have resulted in the exfiltration of large volumes of sensitive data, including financial documents, employee IDs, contracts, and internal reports, with some organizations facing significant operational disruptions and potential financial losses. The campaign demonstrates the increasing sophistication of ransomware and extortion groups, who are now chaining multiple vulnerabilities and targeting widely used enterprise platforms. Security experts have emphasized the importance of timely patching, robust monitoring, and incident response planning to mitigate the risks associated with zero-day exploitation. The incident also highlights the need for organizations to review their exposure to third-party software vulnerabilities and strengthen their supply chain security posture. Oracle's rapid release of emergency patches underscores the critical nature of the threat and the ongoing arms race between software vendors and cybercriminals. The exploitation of Oracle EBS zero-days is part of a broader trend of attackers targeting business-critical applications to maximize impact and leverage for extortion. Organizations are urged to remain vigilant, monitor for signs of compromise, and ensure that all security updates are applied without delay. The incident serves as a stark reminder of the persistent threat posed by advanced cybercriminal groups and the necessity of proactive cybersecurity measures in the face of evolving attack techniques.
Mar 21, 2026
Oracle E-Business Suite 0-Day Vulnerability and Dark Web Exploit Activity
Oracle has issued a security alert regarding a newly discovered high-severity vulnerability in its E-Business Suite (EBS), tracked as CVE-2025-61884, which allows remote, unauthenticated attackers to gain access to sensitive resources. The flaw affects Oracle Configurator, a component used for automating product and service configuration, and impacts versions 12.2.3 through 12.2.14 of EBS. According to Oracle’s chief security officer, the vulnerability is easily exploitable via HTTP and could result in unauthorized access to critical or all data accessible through Oracle Configurator. The National Institute of Standards and Technology (NIST) has classified this as a high-risk issue, emphasizing the potential for attackers to compromise entire EBS environments without credentials. This vulnerability follows closely on the heels of another zero-day (CVE-2025-61882) disclosed by Oracle the previous week, indicating a concerning trend of critical flaws in the EBS platform. Security researchers have noted that the Cl0p ransomware group previously exploited EBS vulnerabilities to gain unauthorized access to corporate accounts, raising the risk that this new flaw could be weaponized by similar threat actors. Concurrently, dark web monitoring teams have observed the sale of an alleged 0-day exploit for Oracle E-Business Suite on underground forums, suggesting that cybercriminals are actively seeking to monetize this vulnerability. The dark web activity includes discussions and advertisements for the Oracle EBS 0-day, alongside other high-profile data leaks and exploit sales, highlighting the immediate interest from the cybercriminal community. Organizations using affected versions of Oracle EBS are urged to apply patches or mitigations as soon as they become available and to monitor for signs of exploitation. The exposure of such a critical business application to unauthenticated remote attacks significantly increases the risk of data breaches, ransomware, and business disruption. Security teams should prioritize reviewing access logs, implementing network segmentation, and restricting external access to Oracle EBS interfaces. The rapid appearance of exploit sales on the dark web underscores the urgency of the threat and the likelihood of imminent exploitation in the wild. Oracle customers are advised to stay informed through official security advisories and to coordinate with their IT and security vendors for timely remediation. The incident demonstrates the ongoing targeting of enterprise software by both sophisticated ransomware groups and opportunistic cybercriminals. Proactive defense and rapid response are essential to mitigate the risks posed by this and similar vulnerabilities in widely deployed business platforms.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited for Remote Code Execution and Data Theft
Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.
Mar 21, 2026