The notorious Cl0p ransomware group has been actively exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite (EBS), targeting enterprise customers through CVE-2025-61882.
This sophisticated attack campaign has prompted Oracle to issue an emergency security advisory after reports surfaced that multiple organizations received extortion emails from the threat actors.
Critical Zero-Day Vulnerability Exposed
Oracle confirmed the exploitation of CVE-2025-61882, a severe remote code execution vulnerability affecting the Business Intelligence Publisher (BI Publisher) Integration component of Oracle EBS.
The vulnerability carries a maximum CVSS score of 9.8, indicating critical severity with potential for complete system compromise.
The zero-day flaw affects Oracle E-Business Suite versions 12.2.3 through 12.2.14, impacting thousands of organizations worldwide that rely on Oracle’s integrated business application suite for critical operations including order management, logistics, and procurement.
Security researchers have identified Cl0p as a highly sophisticated ransomware group operating since February 2019, known for specifically targeting zero-day vulnerabilities in enterprise file transfer and business software.
The group, also linked to threat actors TA505 and FIN11, has previously exploited zero-days in Accellion, MOVEit Transfer, GoAnywhere, and Cleo platforms.
In this latest campaign, Cl0p has shifted from traditional file encryption to pure data exfiltration and extortion tactics.
Oracle customers began receiving threatening emails on October 2, claiming the attackers had successfully stolen sensitive information from their EBS systems.
Oracle’s preliminary investigation revealed that the threat actors exploited multiple vulnerabilities, including nine additional CVEs patched in the July 2025 Critical Patch Update.
These vulnerabilities, ranging from CVSS scores of 5.4 to 8.1, affected various EBS components including Oracle Lease and Finance Management, Mobile Field Service, and Universal Work Queue.
| CVE Identifier | Affected Component | CVSS Score | Impact |
| CVE-2025-61882 | BI Publisher Integration | 9.8 | Remote Code Execution |
| CVE-2025-30743 | Lease and Finance Management | 8.1 | High Impact |
| CVE-2025-30744 | Mobile Field Service | 8.1 | High Impact |
| CVE-2025-50105 | Universal Work Queue | 8.1 | High Impact |
| CVE-2025-50071 | Applications Framework | 6.4 | Medium Impact |
Oracle has released patches for all identified vulnerabilities, but organizations must apply the October 2023 CPU as a prerequisite before installing the latest security updates.
Public proof-of-concept exploits for CVE-2025-61882 are now available, significantly increasing the risk for unpatched systems.
Security experts strongly recommend that all Oracle EBS customers immediately assess their exposure and apply available patches.
The combination of active exploitation, public exploit code, and Cl0p’s demonstrated capabilities creates an extremely dangerous threat landscape for vulnerable organizations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
