Oracle has confirmed the active exploitation of a critical zero-day vulnerability in E-Business Suite (EBS), identified as CVE-2025-61882, which allows remote code execution without authentication. The flaw has been exploited since August 2025 by the Clop ransomware group in a large-scale data theft campaign that has already impacted multiple organizations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog on October 6, 2025, setting a deadline of October 27 for remediation by U.S. federal agencies.
Vulnerability details
CVE-2025-61882 has a CVSS score of 9.8 (critical) and affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. The vulnerability resides in the BI Publisher Integration component of Oracle Concurrent Processing and can be exploited remotely over HTTP without credentials. According to Mandiant, the Clop group exploited multiple vulnerabilities in Oracle EBS, including CVE-2025-61882 and others patched in the July 2025 update, enabling the theft of large volumes of data. Ransom demands have reached USD 50 million.
Background on the Clop group
The Clop group is known for exploiting zero-day vulnerabilities in enterprise platforms. In 2023, it compromised more than 2,700 organizations by exploiting MOVEit Transfer. The current campaign follows the same pattern: mass exploitation, data theft, and extortion.
In this context, SEK recommends:
- Immediately applying the security patches released by Oracle to address the flaw.
- Testing updates in non-production environments before deploying them to production.
- Scanning Oracle EBS environments for Indicators of Compromise (IOCs) provided by Oracle, available at this link.
SEK continues to actively monitor the evolution of this campaign and remains available to assist clients with implementing protection measures and investigating potential compromises.