Oracle has patched a critical vulnerability in its E-Business Suite (EBS), tracked as CVE-2025-61882, which is being actively exploited in data theft attacks by the Clop ransomware group.
The flaw resides in the BI Publisher Integration component of Oracle Concurrent Processing, and allows for unauthenticated remote code execution. According to Oracle’s advisory, the vulnerability “may be exploited over a network without the need for a username and password,” potentially allowing attackers to execute arbitrary code on vulnerable systems.
CVE-2025-61882 affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. Oracle has released an emergency patch but warns that customers must first apply the October 2023 Critical Patch Update to deploy the new fix.
Although Oracle has not officially labeled it a zero-day, the company released indicators of compromise (IOCs) tied to exploit activity recently shared by threat actors on Telegram.
Last week, Mandiant and Google’s Threat Intelligence Group reported a new Clop extortion campaign targeting EBS customers. Victims received ransom emails alleging that data had been stolen from their Oracle EBS systems, with the attackers threatening to leak the information unless their demands were met.
The Clop group has a long history of exploiting zero-day vulnerabilities in various software in wide-spread data extortion campaigns. Since 2020, the group has been observed targeting a slew of flaws in the Accellion FTA platform; SolarWinds Serv-U zero-day (CVE-2021-35211); GoAnywhere MFT zero-day (CVE-2023-0669); MOVEit Transfer zero-day; two Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956).
