Following reports the Cl0p ransomware group has been extorting Oracle E-Business Suite customers, Oracle released an advisory for a zero-day that was exploited in the wild.

Background

Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a newly disclosed Oracle zero-day vulnerability that was exploited in the wild along with other recently patched vulnerabilities part of Oracle’s initial investigation.

FAQ

What is the Oracle zero-day vulnerability?

On October 4, Oracle published a Security Alert Advisory for a new zero-day vulnerability in E-Business Suite (EBS), Oracle’s integrated business application suite for various business functions including order management, logistics, procurement and more.

What is the CVE for this Oracle zero-day vulnerability?

Was CVE-2025-61882 exploited in the wild as a zero-day? Yes. As part of its Security Alert Advisory, Oracle included multiple indicators of compromise (IOCs). Additionally, a blog post from Rob Duhart, Chief Security Officer at Oracle, was updated to highlight the discovery of this zero-day during its investigation into reports of these compromises.

What are these reports of Oracle EBS customers being compromised?

On October 2, there were reports that Oracle customers received emails from the ransomware group known as Cl0p claiming to have stolen information from their EBS systems. On October 3, Oracle confirmed the reports of attempted extortion, adding that their preliminary investigation revealed exploitation of EBS vulnerabilities patched in the July 2025 Oracle Critical Patch Update (CPU).

What were the EBS vulnerabilities that were patched in the July 2025 Oracle CPU?

There were nine vulnerabilities patched in the July 2025 Oracle CPU:

Did Oracle originally say that these vulnerabilities were potentially used in these attacks?

Yes, Oracle did highlight these flaws in a previous version of Duhart’s blog post:

Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates.

However, this reference has since been removed from the blog and replaced with a reference to CVE-2025-61882.

Does this removal mean the vulnerabilities from the July 2025 CPU were not used in these attacks?

The removal of the reference would imply the July 2025 CPU vulnerabilities were not utilized in these attacks. However, there are external reports that suggest that the Cl0p ransomware group exploited multiple vulnerabilities, including some from the July 2025 CPU release. This has not been officially confirmed by Oracle.

Who is the Cl0p ransomware group?

Cl0p (or “Clop”) is a notorious ransomware group that has been operating since February 2019. It began as a traditional ransomware group conducting double-extortion attacks, where it would encrypt and exfiltrate files, then extort victims with the threat of publishing them. The group later pivoted to campaigns focused purely on data exfiltration and extortion. Cl0p has a penchant for targeting and exploiting zero-day vulnerabilities in file transfer software including Accellion, MOVEit Transfer, GoAnywhere, and Cleo.

Is Cl0p identified by any other names?

Cl0p is often referred to or linked to TA505 and FIN11, groups that have deployed the Cl0p ransomware and conducted extortion attacks leveraging various zero-day vulnerabilities.

Is there a proof-of-concept (PoC) available for these vulnerabilities?

As of October 5, there were no public proof-of-concept (PoC) exploits for CVE-2025-61882 or the other nine CVEs patched in the July 2025 Oracle CPU release.

Are patches or mitigations available for CVE-2025-61882 and other associated vulnerabilities?

Yes, patches are available. The zero-day vulnerability, CVE-2025-61882, and the nine CVEs from the July 2025 CPU all affect the same versions of Oracle EBS:

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:

Oracle Zero-Day:

• CVE-2025-61882

Oracle EBS July 2025 CPU vulnerabilities:

• CVE-2025-30743
• CVE-2025-30744
• CVE-2025-50105
• CVE-2025-50071
• CVE-2025-30746
• CVE-2025-30745
• CVE-2025-50107
• CVE-2025-30739
• CVE-2025-50090

These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• Oracle Security Alert Advisory - CVE-2025-61882
• Apply Oracle Security Alert CVE-2025-61882 for Oracle E-Business Suite (EBS)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.