Oracle E-Business Suite (EBS) was found to contain a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, which has been actively exploited in the wild. The flaw resides in the Oracle Concurrent Processing component, specifically within the BI Publisher Integration, and carries a CVSS base score of 9.8 due to its unauthenticated and easily exploitable nature. Attackers can leverage this vulnerability to execute arbitrary code remotely without requiring valid credentials, posing a severe risk to organizations running affected EBS versions. Oracle confirmed that versions 12.2.3 through 12.2.14 are impacted by this vulnerability. The company released an emergency security update to address the issue, but customers must first apply the October 2023 Critical Patch Update before deploying the new fix. The vulnerability was exploited by the Clop ransomware group in a series of data theft attacks in August 2025, resulting in significant data exfiltration from multiple victims. Mandiant's CTO, Charles Carmakal, confirmed that Clop leveraged both this zero-day and other previously patched vulnerabilities in their campaign. Oracle's advisory included indicators of compromise that matched exploit details shared by threat actors on Telegram, highlighting the public availability of exploit information. The exploitation of this flaw underscores the importance of timely patch management, especially for business-critical applications like Oracle EBS. Oracle has urged all customers to prioritize the application of the latest patches to mitigate the risk of further exploitation. The incident demonstrates the increasing trend of ransomware groups targeting enterprise software vulnerabilities for large-scale data theft. Security researchers have emphasized the need for organizations to monitor for signs of compromise and to review their EBS deployments for unauthorized activity. The rapid release of a security alert and patch by Oracle reflects the urgency and severity of the threat posed by CVE-2025-61882. Organizations are advised to follow Oracle's remediation guidance closely and to remain vigilant for related threat activity. The incident has raised concerns about the security posture of widely used ERP platforms and the potential for future exploitation of similar vulnerabilities. The Clop attacks serve as a reminder that threat actors are adept at chaining multiple vulnerabilities to maximize impact. This event highlights the criticality of maintaining up-to-date security controls and monitoring for exploitation attempts targeting high-value enterprise systems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
16 events from the most recent confirmed update back to the earliest known activity.
On October 17, 2025, regional airline Envoy Air confirmed it had been compromised through Oracle E-Business Suite. This added another publicly identified victim to the growing list of organizations affected by the campaign.
By October 15, 2025, reporting indicated Oracle had also released a patch for a related vulnerability, CVE-2025-61884, in addition to CVE-2025-61882. The additional fix suggested defenders needed to address more than one issue connected to the Oracle EBS attack surface.
By October 14, 2025, Cl0p had added Harvard University to its leak site and claimed to have stolen about 1.3 TB of data. This was one of the first named victims publicly associated with the Oracle EBS campaign.
On October 13, 2025, Harvard said it was investigating a breach tied to exploitation of the Oracle EBS zero-day and that a limited number of parties in a small administrative unit were affected. The university said it had applied Oracle's patch and had not found evidence of broader compromise in other systems.
Around October 10-13, 2025, researchers disclosed technical details of the campaign, including SSRF, CRLF injection, authentication bypass, XSL template injection, and Java-based payloads such as GOLDVEIN.JAVA and SAGE malware variants. The reporting also described web shells, in-memory backdoors, outbound callbacks, and post-exploitation tooling overlaps with FIN11 activity.
By October 9-10, 2025, Google Threat Intelligence Group and Mandiant reported that dozens of organizations had been breached in the Oracle EBS campaign. Their findings said attackers used multiple vulnerabilities and compromised third-party email accounts to run large-scale extortion operations.
On October 7, 2025, reporting citing CrowdStrike said exploitation of CVE-2025-61882 was linked to Cl0p, also tracked as Graceful Spider, with attacks beginning on August 9, 2025. This was a key attribution and timeline refinement for the campaign.
On October 7, 2025, researchers reported that exploit scripts for CVE-2025-61882 were circulating on Telegram. Analysis showed the attack chain abused SSRF and malicious XSL content to achieve remote code execution and reverse-shell access on Oracle EBS servers.
By October 7, 2025, CVE-2025-61882 had been added to CISA's Known Exploited Vulnerabilities catalog. The listing formally recognized the flaw as actively exploited in the wild and increased pressure on defenders to remediate quickly.
By October 6, 2025, government defenders including the FBI, the UK government, and the Canadian Centre for Cyber Security were warning organizations to patch Oracle EBS urgently. These advisories reflected concern over active exploitation and extortion activity tied to the flaw.
Beginning October 5-6, 2025, multiple outlets reported that the Cl0p extortion ecosystem was exploiting CVE-2025-61882 in Oracle EBS to steal data and pressure victims. Reports said executives were receiving extortion emails claiming Oracle EBS data had been stolen, with some demands reportedly reaching $50 million.
Oracle updated its advisory on October 4, 2025 after uncovering additional potential exploitation during its investigation. The alert included indicators of compromise such as IP addresses, file hashes, and reverse-shell artifacts, and replaced earlier references to possible July CPU vulnerabilities with CVE-2025-61882.
On October 4, 2025, Oracle published a Security Alert Advisory and released an emergency fix for CVE-2025-61882, a critical unauthenticated remote code execution flaw in Oracle E-Business Suite BI Publisher integration. Oracle said the vulnerability was being actively exploited and provided mitigation guidance for affected EBS versions 12.2.3 through 12.2.14.
According to later reporting, the Oracle EBS compromise campaign was only detected in late September 2025 despite having begun weeks earlier. This marked the point when defenders and vendors began investigating the broader scope of the intrusions.
Security researchers later determined that exploitation of Oracle EBS, including CVE-2025-61882, was underway by early August 2025, with one widely cited start point of August 9. Attackers used the access to steal data from victim environments for later extortion.
Later reporting and incident analysis indicate the Oracle E-Business Suite intrusion campaign started as early as July 2025, with attackers using multiple exploit chains against internet-facing EBS systems. The activity was not publicly known at the time and was only recognized later during investigations.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
43 references tracked. Mallory keeps watching after this page renders.
therecord.media
Open sourceforesiet.com
Open sourcedarkreading.com
Open sourcesecurityaffairs.com
Open sourcetenable.com
Open sourcesecurityboulevard.com
Open sourceoracle.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.