Cyber authorities ring alarm bell over actively exploited Oracle E-Business Suite bug
Cybersecurity authorities are urging organizations to patch a critical zero-day bug in Oracle’s E-Business Suite (EBS) that’s already being actively exploited. The flaw enables unauthenticated attackers to run code remotely.
Reports about compromised Oracle customers appeared last week. The notorious ransomware gang Clop (Cl0p) sent extortion emails to multiple companies, claiming that their sensitive data was stolen from the tech company’s E-Business Suite.
The integrated suite of business applications is widely used for many tasks, including resource planning, finance, supply chain management, human resources, and others.
On October 4th, Oracle released emergency patches and issued a security alert advisory, warning about a potential exploitation discovered during an investigation.
The critical vulnerability, labeled CVE-2025-61882, has a near maximum base severity score of 9.8 out of 10. It lies in the BI Publisher Integration component of the Oracle Concurrent Processing product.
“An easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing,” the description on the National Vulnerability Database reads.
An unauthenticated attacker can exploit the bug by sending specially crafted HTTP requests to the affected component, resulting in full system compromise. No user interaction is required.
“It may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution,” Oracle acknowledged in the advisory.
The UK National Cyber Security Center (NCSC) released an urgent warning for organizations in the country to take immediate action to mitigate the vulnerability.
Similarly, the Federal Office for Information Security (BSI) in Germany flashed a red alert warning of remote attacks.
Mass zero-day exploitation
All organizations using Oracle E-Business Suite (EBS) versions 12.2.3 to 12.2.14 are affected. Internet-exposed instances pose even greater risks.
Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. The October 2023 Critical Patch Update is a prerequisite.
The advisory already contains several IP addresses, descriptions of observed malicious payloads, and other indicators of compromise.
Charles Carmakal, CTO and Board Advisor of Mandiant at Google Cloud, warned about mass exploitation of the vulnerability in a LinkedIn post.
“Given the broad mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” the expert recommends.
Cl0p, the suspected attacker, is a notorious ransomware gang that previously compromised hundreds of companies using the MOVEit zero-day vulnerability. The gang also threatened to release data of 59 companies affected by the Cleo file transfer platform breach.
The gang likely exploited several vulnerabilities in Oracle EBS in August 2025, which enabled it to steal large amounts of data from several victims.
“Cl0p has been sending extortion emails to several victims since last Monday. However, please note they may not have attempted to reach out to all victims yet,” Carmakal warned.
Unlock more exclusive Cybernews content on YouTube.
