Cl0p Ransomware Actively Exploiting Oracle E-Business Suite 0-Day Vulnerability in the Wild


Oracle has issued an emergency security alert for a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite after the notorious Cl0p ransomware group began extorting customers who failed to patch their systems. 

The vulnerability, carrying a maximum CVSS score of 9.8, affects the Business Intelligence Publisher (BI Publisher) Integration component and enables remote code execution without authentication.

The vulnerability CVE-2025-61882 represents a significant threat to Oracle E-Business Suite deployments worldwide. Security researchers have confirmed that public proof-of-concept exploits are now available, dramatically increasing the risk for unpatched systems. 

The flaw affects Oracle EBS versions 12.2.3 through 12.2.14, requiring organizations to implement Oracle’s October 2023 CPU as a prerequisite before applying the latest security patches.

Tenable investigation revealed that Cl0p ransomware operators have been systematically targeting Oracle E-Business Suite installations, leveraging this zero-day vulnerability to gain unauthorized access to enterprise systems. 

Cl0p Exploiting Unpatched Oracle EBS Vulnerability

The attack campaign came to light when multiple Oracle customers received extortion emails from the Cl0p group, claiming to have successfully infiltrated their EBS environments and stolen sensitive business data.

google

Tenable stated that the Oracle Concurrent Processing component vulnerability allows attackers to execute arbitrary code remotely without requiring authentication credentials, making it an attractive target for cybercriminals. 

Security experts emphasize that the combination of widespread Oracle EBS deployment in enterprise environments and the vulnerability’s high severity score creates a perfect storm for large-scale attacks.

The Cl0p ransomware group, also known as TA505 and FIN11, has established a pattern of targeting zero-day vulnerabilities in enterprise file transfer and business application software. 

Previous campaigns successfully exploited vulnerabilities in Accellion, MOVEit Transfer, GoAnywhere, and Cleo platforms, demonstrating the group’s sophisticated capability to identify and weaponize high-impact security flaws.

Risk Factors Details
Affected Products Oracle E-Business Suite, Business Intelligence Publisher (BI Publisher) Integration 12.2.3 through 12.2.14
Impact Remote Code Execution
Exploit Prerequisites Network access to Oracle EBS instance, No authentication required
CVSS 3.1 Score 9.8 (Critical)

Mitigations

Oracle’s security advisory includes multiple indicators of compromise (IOCs) to help organizations detect potential intrusions. 

The company has released patches addressing not only CVE-2025-61882 but also nine additional vulnerabilities from the July 2025 Critical Patch Update that may have been exploited in conjunction with the zero-day flaw.

Security teams must prioritize immediate patching of affected Oracle EBS systems, particularly given the availability of public exploits. 

Organizations should also implement network monitoring for suspicious activity targeting the BI Publisher Integration component and review access logs for unauthorized administrative actions. 

The incident underscores the critical importance of maintaining current patch levels and implementing defense-in-depth strategies to protect against zero-day exploitation campaigns.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

googlenews



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.