Oracle Patches Critical E-Business Suite Zero-Day Vulnerability Exploited by Clop Ransomware

Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks. The flaw is within the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration) and has a CVSS base score of 9.8, due to its lack of authentication and ease of exploitation.

"This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite," reads a new Oracle advisory. "This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution." Oracle has confirmed that the zero-day vulnerability affects Oracle E-Business Suite, versions 12.2.3-12.2.14, and has released an emergency update to address the flaw.

While Oracle has not explicitly stated that this is a zero-day vulnerability, they did share indicators of compromise that correspond to an Oracle EBS exploit recently shared by threat actors on Telegram. Charles Carmakal, CTO, Mandiant - Google Cloud, also confirmed that this was the flaw exploited by the Clop ransomware gang in data theft attacks that occurred in August 2025.

Clop extortion emails claim theft of Oracle E-Business Suite data. The Clop extortion gang has a long history of exploiting zero-day vulnerabilities in massive data theft attacks. Oracle has now shared indicators of compromise for the zero-day exploitation, which include two IP addresses seen exploiting servers, a command to open a remote shell, and the exploit archive and associated files.