Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks.
The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component.
"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password," Oracle said in an advisory. "If successfully exploited, this vulnerability may result in remote code execution."
In a separate alert, Oracle's Chief Security Officer Rob Duhart said the company has released fixes for CVE-2025-61882 to "provide updates against additional potential exploitation that were discovered during our investigation."
As indicators of compromise (IoCs), the technology shared the following IP addresses and artifacts, indicating the likely involvement of the Scattered LAPSUS$ Hunters group as well in the exploit -
- 200.107.207[.]26 (Potential GET and POST activity)
- 185.181.60[.]11 (Potential GET and POST activity)
- sh -c /bin/bash -i >& /dev/tcp// 0>&1 (Establish an outbound TCP connection over a specific port)
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py
News of the Oracle zero-day comes days after reports emerged of a new campaign likely undertaken by the Cl0p ransomware group targeting Oracle E-Business Suite. Google-owned Mandiant described the ongoing activity as a "high-volume email campaign" launched from hundreds of compromised accounts.
In a post shared on LinkedIn, Charles Carmakal, CTO of Mandiant at Google Cloud, said "Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025," adding "multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle's July 2025 update as well as one that was patched this weekend (CVE-2025-61882)."
"Given the broad mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised," Carmakal noted.
(This is a developing story. Please check back for more details.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.