Oracle E-Business Suite (EBS) has been the target of a sophisticated cyberattack campaign exploiting multiple zero-day vulnerabilities, resulting in significant data breaches and prompting an urgent security response. According to reports, dozens of organizations have been impacted by the exploitation of a critical flaw in Oracle EBS, tracked as CVE-2025-61882, which has been actively used by threat actors since at least August 2025. The attackers leveraged a chain of vulnerabilities, including CVE-2025-61882 and a newly disclosed CVE-2025-61884, to gain unauthorized access to sensitive data and deploy various malware payloads such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. The Clop ransomware group has been linked to these attacks, using the vulnerabilities to breach networks, exfiltrate data, and extort victims. Oracle responded by releasing an emergency patch for CVE-2025-61884, which affects EBS versions 12.2.3 to 12.2.14, warning that the flaw could be exploited remotely by unauthenticated attackers to steal sensitive information. Security researchers from CrowdStrike observed that Clop had been exploiting CVE-2025-61882 as a zero-day since early August, and other threat groups may have joined the campaign. The vulnerabilities allow attackers to achieve remote code execution and information disclosure, posing a severe risk to organizations running affected EBS versions. Oracle strongly advised customers to apply the emergency updates or mitigations immediately to prevent further exploitation. The attacks have resulted in the exfiltration of large volumes of sensitive data, including financial documents, employee IDs, contracts, and internal reports, with some organizations facing significant operational disruptions and potential financial losses. The campaign demonstrates the increasing sophistication of ransomware and extortion groups, who are now chaining multiple vulnerabilities and targeting widely used enterprise platforms. Security experts have emphasized the importance of timely patching, robust monitoring, and incident response planning to mitigate the risks associated with zero-day exploitation. The incident also highlights the need for organizations to review their exposure to third-party software vulnerabilities and strengthen their supply chain security posture. Oracle's rapid release of emergency patches underscores the critical nature of the threat and the ongoing arms race between software vendors and cybercriminals. The exploitation of Oracle EBS zero-days is part of a broader trend of attackers targeting business-critical applications to maximize impact and leverage for extortion. Organizations are urged to remain vigilant, monitor for signs of compromise, and ensure that all security updates are applied without delay. The incident serves as a stark reminder of the persistent threat posed by advanced cybercriminal groups and the necessity of proactive cybersecurity measures in the face of evolving attack techniques.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Oracle released an emergency patch for a newly disclosed Oracle E-Business Suite vulnerability, CVE-2025-61882. The fix was issued in response to the serious flaw amid reports of exploitation.
Threat actors resembling the Cl0p ransomware group were reported to be exploiting an Oracle E-Business Suite zero-day tracked as CVE-2025-61882. The activity was highlighted in weekly cybersecurity reporting as an active real-world intrusion development.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
research.checkpoint.com
Open sourcethehackernews.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.