Oracle has issued a significant warning regarding a critical zero-day vulnerability in the Oracle E-Business Suite, identified as CVE-2025-61882. This vulnerability allows attackers to execute unauthorized remote code, notably exploited in Clop ransomware data theft campaigns.
The vulnerability exists within the Oracle Concurrent Processing component of the Oracle E-Business Suite, specifically affecting BI Publisher Integration. With a CVSS base score of 9.8, this flaw is characterized by its lack of authentication requirements and ease of exploitation.
As detailed in a recent Oracle advisory, “This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite,” elaborating that “the vulnerability is remotely exploitable without authentication, meaning it may be exploited over a network without requiring a username and password. Successful exploitation could result in remote code execution.”
Oracle has confirmed that this zero-day vulnerability impacts Oracle E-Business Suite versions 12.2.3 through 12.2.14. To mitigate the risk, Oracle has released an emergency update, advising customers to first implement the October 2023 Critical Patch Update before deploying the new security patches.
Given the existence of a public proof-of-concept (PoC) exploit and ongoing exploitation of this vulnerability, it is imperative for Oracle administrators to apply security updates promptly.
Zero-Day Exploited in Clop Data Theft Attacks
While Oracle has refrained from explicitly labeling CVE-2025-61882 as a zero-day vulnerability, they provided indicators of compromise aligning with an exploit showcased by threat actors on platforms like Telegram. Charles Carmakal, CTO of Mandiant – Google Cloud, confirmed this vulnerability was exploited by the Clop ransomware group in extensive data theft incidents reported in August 2025.
Carmakal stated, “Clop exploited multiple vulnerabilities in Oracle EBS that enabled them to steal vast amounts of data from several victims in August 2025,” highlighting that this included vulnerabilities addressed in Oracle’s July 2025 update as well as CVE-2025-61882.
As reported by both Mandiant and the Google Threat Intelligence Group (GTIG), the Clop ransomware campaign involved emails being sent to multiple companies alleging that sensitive data had been extracted from their Oracle E-Business Suite systems, along with extortion demands not to disclose the stolen data. One such email snippet ominously declared, “We are CL0P team. If you haven’t heard about us, you can google us on the internet.”
The Clop group is notorious for exploiting zero-day vulnerabilities in large-scale data breaches. They confirmed their involvement in these extortion emails, asserting their successful exploitation of an Oracle zero-day flaw for data acquisition.
In a striking statement to BleepingComputer, Clop mentioned, “Soon all will become obvious that Oracle bugged up their core product, and once again, the task falls on Clop to rectify the situation,” alluding to the new flaw exploited for their operations.
Initial reports from Oracle linked the Clop extortion efforts to vulnerabilities patched in July 2025, rather than the recent zero-day exploit. However, the company has since provided indicators of compromise associated with the apex of this exploitation, revealing two IP addresses utilized by the threat actors, commands to establish remote shells, and relevant exploit archives.
Exploit Leaked by Scattered Lapsus$ Hunters
While the Clop group is responsible for recent data theft attacks, the origins of this zero-day vulnerability became publicly known through a different faction of threat actors identifying as “Scattered Lapsus$ Hunters.” This group has also garnered attention with their extensive data theft targeting Salesforce clients.
On the preceding Friday, these actors disseminated files via Telegram, purporting to relate to the Clop attacks. One file labeled “GIFT_FROM_CL0P.7z” reportedly contains Oracle source code linked to support.oracle.com.
Moreover, they released an archive termed “ORACLE_EBS_NDAY_EXPLOIT_POC_SCATTERED_LAPSUS_RETARD_CL0P_HUNTERS.zip,” insinuating that it contained the Oracle E-Business exploit utilized by Clop. BleepingComputer has confirmed this archive aligns with the indicators of compromise released by Oracle.
This archive features a readme.md instruction file and two Python scripts, exp.py and server.py, designed to exploit vulnerable Oracle E-Business Suite instances and execute arbitrary commands or establish reverse shells to the threat actor’s servers.
The confirmation that this exploit, disclosed by the Scattered Lapsus$ Hunters, corresponds with the Clop operations raises critical questions regarding how these threat actors obtained this exploit and the nature of their collaboration with Clop.
BleepingComputer reached out to both ShinyHunters and Clop for inquiries concerning this relationship, though responses have not yet been received.