Oracle releases emergency patch to address Cl0p data theft attacks in E-Business Suite

Oracle has released an emergency patch and an urgent security warning about a 0-day vulnerability in Oracle E-Business Suite.

Tracked as CVE-2025-61882, the security flaw has a severity rating of 9.8 and is described as an “easily exploitable vulnerability”. Oracle warns that the vulnerability is “remotely exploitable without authentication”, going some way to explaining why it is seen as being so serious an issue.

A security advisory informs Oracle customers: “This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.”

The advisory continues:

Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay. Note that the October 2023 Critical Patch Update is a prerequisite for application of the updates in this Security Alert.

Indicators of compromise (IP addresses, observed commands, and files) to support immediate detection, hunting, and containment are detailed below the risk matrix.

Rob Duhart – Chief Security Officer, Oracle Security – was also moved to post the following information:

Oracle has issued Oracle Security Alert Advisory – CVE-2025-61882 to provide updates against additional potential exploitation that were discovered during our investigation.  We strongly recommend Oracle E-Business Suite (EBS) customers apply the guidance provided by this Security Alert as soon as possible.  We also reaffirm our strong recommendation that customers stay up to date with Critical Patch Updates.

Over on the National Vulnerability Database, the entry for CVE-2025-61882 reads:

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

While Oracle has not said as much, the vulnerability is thought to be something being targeted by the Cl0p ransomware group. In a statement provided to Bleeping Computer, Charles Carmakal, CTO, Mandiant - Google Cloud, said:

Clop exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victim in August 2025.  Multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle's July 2025 update as well as one that was patched this weekend (CVE-2025-61882).

In short, the advice is to move quickly to get the patch installed. Full details are available in Oracle’s security advisory.

Image credit: Josefkubes / Dreamstime.com