Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Envoy Air, an American Airlines subsidiary, confirmed a data compromise involving its Oracle E-Business Suite application after Clop listed American Airlines on its leak site. The company said some business information and commercial contact details were exposed, but no sensitive or customer data was affected.
AlphaHunt published technical analysis describing CL0P/FIN11 tradecraft in Oracle E-Business Suite compromises, including in-memory execution and delayed extortion. The report added technical detail to how the campaign operated.
Imperva published analysis stating its customers were protected against the critical Oracle E-Business Suite zero-day remote code execution flaw tracked as CVE-2025-61882. The post publicly documented defensive coverage for the vulnerability.
Oracle released fixes for the exploited Oracle E-Business Suite zero-days, including CVE-2025-61882 and CVE-2025-61884, without a prominent public disclosure. Later reporting described the fixes as addressing exploits tied to the Clop campaign and a leaked exploit associated with ShinyHunters/Shiny Lapsus$ Hunters.
Security firms CrowdStrike and Mandiant confirmed that the Clop/FIN11 threat actor was exploiting Oracle E-Business Suite zero-day vulnerabilities, including CVE-2025-61882, in a broader data-theft and extortion campaign. The activity was identified in early August 2025 and affected dozens of organizations.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
bleepingcomputer.com
Open sourcedatabreaches.net
Open sourceblog.alphahunt.io
Open sourcebleepingcomputer.com
Open sourcebleepingcomputer.com
Open sourceimperva.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.