More information has come to light on the recently patched Oracle E-Business Suite (EBS) zero-day, with evidence indicating that threat actors knew about the vulnerability for at least two months before it was patched.
Google Threat Intelligence Group (GTIG) and Mandiant first warned about attacks aimed at Oracle E-Business Suite on October 2, after executives at many organizations received extortion emails from the Cl0p cybercrime group.
It has since been confirmed that Cl0p was behind the attacks, and that the cybercriminals likely managed to steal large amounts of data from the EBS instances of targeted organizations since August.
Oracle initially said the attacks appeared to involve exploitation of unspecified vulnerabilities patched in July, but the software giant confirmed on October 4 that a zero-day flaw has also been exploited.
The zero-day, tracked as CVE-2025-61882 with a CVSS score of 9.8, impacts the BI Publisher Integration component of Oracle Concurrent Processing. It can be exploited by an unauthenticated attacker for remote code execution.
CrowdStrike has been monitoring the attacks involving CVE-2025-61882 and has tied them with moderate confidence to a Russia-linked threat actor it tracks as Graceful Spider, which is known for conducting attacks with the Cl0p ransomware. However, the cybersecurity firm says it’s possible that multiple groups have exploited the zero-day.
While CrowdStrike’s investigation is ongoing, the information it has collected to date indicates that the zero-day was first exploited on August 9.
The hacker groups ShinyHunters and Scattered Spider (now calling themselves Scattered LAPSUS$ Hunters as a result of a collaboration) have published a proof-of-concept (PoC) exploit for CVE-2025-61882.
While it initially appeared that Scattered LAPSUS$ Hunters may have been collaborating with the Cl0p hackers, a message in one of the files published alongside the exploits suggests a feud between the threat groups.
Indicators of compromise (IoCs) published by Oracle suggested that the leaked PoC was real, which has been confirmed by an analysis of the PoC conducted by security firm WatchTowr.
“The [exploit] chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated Remote Code Execution,” WatchTowr said.
With the PoC now public, the cybersecurity industry expects other threat actors to add CVE-2025-61882 to their arsenal and they may still have plenty of targets to choose from.
Censys reported seeing over 2,000 internet-exposed instances of Oracle E-Business Suite. The Shadowserver Foundation has identified over 570 potentially vulnerable instances. Both Censys and Shadowserver saw the highest number of EBS instances in the United States, followed at a distance by China.
Related: Fortra GoAnywhere MFT Zero-Day Exploited in Ransomware Attacks
Related: Critical Vulnerability Puts 60,000 Redis Servers at Risk of Exploitation
