Oracle has released an emergency patch for a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite (EBS) that was actively exploited by the Clop ransomware gang in recent data theft attacks.
Why it matters: The vulnerability, with a CVSS score of 9.8, allows unauthenticated remote code execution, posing significant security risks to organizations using affected EBS versions (12.2.3-12.2.14).
The details:
- The flaw resides in the Oracle Concurrent Processing product, specifically the BI Publisher Integration component.
- Oracle advises installing the October 2023 Critical Patch Update before applying the new security updates.
- Indicators of compromise include IP addresses 200.107.207.26 and 185.181.60.11, a reverse shell command, and an exploit code archive.
The vulnerability was first publicized by a group called “Scattered Lapsus$ Hunters,” who leaked exploit code and Oracle source code on Telegram.
Clop’s extortion campaign:
- Clop exploited the EBS vulnerability to steal large amounts of data from several victims in August 2025.
- Multiple companies received extortion emails threatening to leak stolen data unless a ransom was paid.
- The emails boasted of the breach and held victim data as hostage.
“Clop exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims,” said Charles Carmakal, CTO of Mandiant – Google Cloud.
What’s next: Organizations using affected EBS versions should swiftly apply the necessary patches to mitigate the risk of exploitation. The incident highlights the persistent threat posed by ransomware gangs and the critical need for robust cyber defenses.
