Oracle over the weekend issued another security alert about a vulnerability in its E-Business Suite (EBS), the software family that the Cl0p ransomware group had compromised to gain unauthorized access to the corporate accounts of corporate users.

The latest security flaw, tracked as CVE-2025-61884, comes with a CVSS score of 7.5 out of 10, making it a high-severity vulnerability. Rob Duhart, Oracle Security’s chief security officer, wrote in a brief blog post that “if successfully exploited, this vulnerability may allow access to sensitive resources.”

In its security alert, Oracle noted that the vulnerability can be exploited remotely and without authentication, so bad actors could access a network without having to use a username and password.

As with the zero-day vulnerability announced by Oracle last week – tracked as CVE-2025-61882 – the latest flaw affects versions 12.2.3 through 12.2.14 of ESB. According to the NIST database entry for CVE-2025-51884, the flaw affects Oracle Configurator, a runtime UI that organizations use to automate the selection and configuration of products and services.

‘Easily Exploitable Vulnerability’

NIST called the flaw an “easily exploitable vulnerability [that] allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”

Oracle ESB is a collection of highly integrated business apps that touch on enterprise resource planning (ERP), customer relationship (CRM), and supply chain management to address areas ranging from financial and manufacturing to HR, procurement, and order management.

There’s no indication that the latest vulnerability has been used in the wild, unlike previous security flaws exploited by Cl0p to steal data from a range of Oracle customers. The ransomware group, for the past couple of weeks, has been sending extortion emails to executives of compromised companies demanding a ransom.

The messages were sent from compromised email accounts, according to researchers with threat intelligence firm SOCRadar.

Extortion Messages

According to Google’s Mandiant unit and Google Threat Intelligence Group (GTIG), Cl0p began sending the extortion emails in late September, though it added that the emails likely came after months of exploiting EBS vulnerabilities, targeting customers’ networks and systems, and exfiltrating sensitive data.

Mandiant initially noted that Cl0p abused known and patched vulnerabilities, but added last week that the group also exploited the CVE-2025-61882 zero-day. SOCRadar also wrote that the flaw had been exploited in the wild – Oracle issued a patch for it October 4 – and that a public proof-of-concept exploit had been released, which “further increased the risk of widespread exploitation beyond Cl0p’s campaign. Security researchers warn that other threat actors could adopt the leaked exploit in opportunistic attacks.”

Both SOCRadar and GTIG noted overlap with the cybercrime collective Scattered Lapsus$ Hunters, a combination of high-profile ransomware groups Scattered Spider, Lapsus$, and ShinyHunters.

Multiple Malware Payloads

GTIG found that the attacks included at least two distinct Java payload chains that dropped several malware families, including droppers GoldVein, SageGift, and SafeLeaf, and SageWave, which is used to establish persistent access to compromised networks and systems.

“Targeting public-facing applications and appliances that store sensitive data likely increases the efficiency of data theft operations, given that the threat actors do not need to dedicate time and resources to lateral movement,” Mandiant and GTIG wrote. “This overall approach – in which threat actors have leveraged zero-day vulnerabilities, limited their network footprint, and delayed extortion notifications – almost certainly increases the overall impact, given that threat actors may be able to exfiltrate data from numerous organizations without alerting defenders to their presence.”

Cl0p has been using this approach since at least late 2020, and likely will continue to target zero-day exploits for similar applications, according to the Google groups.

The threat group in 2023 exploited a vulnerability in Progressive Software’s MOVEit file transfer software to access customers’ environments in a campaign that affected almost 2,800 companies.