Cl0p Ransomware Exploiting Oracle E-Business Suite 0-Day in Active Attacks

Oracle has confirmed ongoing attacks by the Cl0p ransomware group exploiting a critical zero-day vulnerability in its E-Business Suite.

Identified as CVE-2025-61882, the flaw resides in the Business Intelligence Publisher (BI Publisher) Integration component and permits unauthenticated remote code execution.

Carrying a maximum CVSS score of 9.8, this vulnerability enables attackers to achieve full system compromise and execute arbitrary code on affected instances.

Widespread Impact Across Oracle EBS Versions

The zero-day affects Oracle E-Business Suite versions 12.2.3 through 12.2.14, which are widely deployed among enterprises for order management, logistics, procurement, and financial operations.

Oracle estimates that thousands of organizations globally rely on these versions, placing a vast attack surface at risk.

Security researchers have observed Cl0p actors systematically scanning internet-facing EBS servers and weaponizing the flaw within days of its discovery.

Cl0p, active since February 2019 and linked to TA505 and FIN11, has a history of leveraging zero-days in enterprise file transfer and business applications.

Notable past exploits include vulnerabilities in Accellion, MOVEit Transfer, GoAnywhere, and Cleo platforms. In this campaign, Cl0p has pivoted from traditional file-encryption ransomware to pure data exfiltration and extortion.

On October 2, several Oracle customers began receiving threatening emails claiming the successful theft of sensitive information from their EBS deployments.

Preliminary investigations indicate Cl0p also exploited nine additional vulnerabilities patched in Oracle’s July 2025 Critical Patch Update, spanning components such as Lease and Finance Management, Mobile Field Service, and Universal Work Queue.

Oracle has released security updates addressing CVE-2025-61882 and the associated patched CVEs.

However, organizations must first deploy the October 2023 Critical Patch Update (CPU) as a prerequisite.

Public proof-of-concept exploits for CVE-2025-61882 are circulating, greatly increasing the urgency for patching. Security experts advise that all Oracle EBS customers:

• Immediately, the inventory exposed BI Publisher Integration endpoints.
• Confirm installation of the October 2023 CPU before applying the latest patches.
• Monitor system logs and network traffic for indicators of compromise, including unusual outbound connections suggestive of data exfiltration.
• Review intrusion detection and endpoint protection alerts for signs of Cl0p activity.

The convergence of active exploitation, available exploit code, and Cl0p’s proven capabilities in targeting zero-day flaws makes the threat environment exceedingly perilous.

Organizations that delay patching risk severe operational disruption, data breaches, and extortion.

Oracle’s ongoing collaboration with affected customers underscores the importance of rapid response and continuous vigilance against evolving ransomware tactics.

CVEs in the Latest Campaign

CVE Identifier	Affected Component	CVSS Score	Impact
CVE-2025-61882	BI Publisher Integration	9.8	Remote Code Execution
CVE-2025-30743	Lease and Finance Management	8.1	High Impact
CVE-2025-30744	Mobile Field Service	8.1	High Impact
CVE-2025-50105	Universal Work Queue	8.1	High Impact
CVE-2025-50071	Applications Framework	6.4	Medium Impact

All Oracle EBS customers are urged to treat these vulnerabilities with the highest priority and ensure comprehensive patch management to defend against this advancing threat.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Cl0p Ransomware Exploiting Oracle E-Business Suite 0-Day in Active Attacks appeared first on Cyber Security News.