Oracle has confirmed ongoing attacks by the Cl0p ransomware group exploiting a critical zero-day vulnerability in its E-Business Suite.
Identified as CVE-2025-61882, the flaw resides in the Business Intelligence Publisher (BI Publisher) Integration component and permits unauthenticated remote code execution.
Carrying a maximum CVSS score of 9.8, this vulnerability enables attackers to achieve full system compromise and execute arbitrary code on affected instances.
Widespread Impact Across Oracle EBS Versions
The zero-day affects Oracle E-Business Suite versions 12.2.3 through 12.2.14, which are widely deployed among enterprises for order management, logistics, procurement, and financial operations.
Oracle estimates that thousands of organizations globally rely on these versions, placing a vast attack surface at risk.
Security researchers have observed Cl0p actors systematically scanning internet-facing EBS servers and weaponizing the flaw within days of its discovery.
Cl0p, active since February 2019 and linked to TA505 and FIN11, has a history of leveraging zero-days in enterprise file transfer and business applications.
Notable past exploits include vulnerabilities in Accellion, MOVEit Transfer, GoAnywhere, and Cleo platforms. In this campaign, Cl0p has pivoted from traditional file-encryption ransomware to pure data exfiltration and extortion.
On October 2, several Oracle customers began receiving threatening emails claiming the successful theft of sensitive information from their EBS deployments.
Preliminary investigations indicate Cl0p also exploited nine additional vulnerabilities patched in Oracle’s July 2025 Critical Patch Update, spanning components such as Lease and Finance Management, Mobile Field Service, and Universal Work Queue.
Oracle has released security updates addressing CVE-2025-61882 and the associated patched CVEs.
However, organizations must first deploy the October 2023 Critical Patch Update (CPU) as a prerequisite.
Public proof-of-concept exploits for CVE-2025-61882 are circulating, greatly increasing the urgency for patching. Security experts advise that all Oracle EBS customers:
- Immediately, the inventory exposed BI Publisher Integration endpoints.
- Confirm installation of the October 2023 CPU before applying the latest patches.
- Monitor system logs and network traffic for indicators of compromise, including unusual outbound connections suggestive of data exfiltration.
- Review intrusion detection and endpoint protection alerts for signs of Cl0p activity.
The convergence of active exploitation, available exploit code, and Cl0p’s proven capabilities in targeting zero-day flaws makes the threat environment exceedingly perilous.
Organizations that delay patching risk severe operational disruption, data breaches, and extortion.
Oracle’s ongoing collaboration with affected customers underscores the importance of rapid response and continuous vigilance against evolving ransomware tactics.
CVEs in the Latest Campaign
| CVE Identifier | Affected Component | CVSS Score | Impact |
|---|---|---|---|
| CVE-2025-61882 | BI Publisher Integration | 9.8 | Remote Code Execution |
| CVE-2025-30743 | Lease and Finance Management | 8.1 | High Impact |
| CVE-2025-30744 | Mobile Field Service | 8.1 | High Impact |
| CVE-2025-50105 | Universal Work Queue | 8.1 | High Impact |
| CVE-2025-50071 | Applications Framework | 6.4 | Medium Impact |
All Oracle EBS customers are urged to treat these vulnerabilities with the highest priority and ensure comprehensive patch management to defend against this advancing threat.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=The zero-day affects Oracle E-Business Suite versions 12.2.3 through 12.2.14, which are widely deployed among enterprises for order management){kind=link}