Oracle E-Business Suite CVE-2025-61882 Exploited in Extortion Attacks

Cl0p, a prolific ransomware and extortion threat group, confirmed that they were behind a large-scale extortion campaign targeting Oracle E-Business Suite (EBS) customers that appears to have begun September 29.
Oracle initially made a statement indicating that one or more vulnerabilities patched in July 2025 were potentially exploited; they later published CVE-2025-61882, a net-new zero-day vulnerability linked to the attack.
A rival threat group posted what they said was the exploit Cl0p had used to gain access to Oracle EBS data. VulnCheck and others have confirmed this exploit is legitimate.
Signatures, ASM queries, and a PCAP for CVE-2025-61882 are available to VulnCheck initial access intelligence customers. CVE-2025-61882 has been added to VulnCheck KEV.

Background

On September 29, 2025, multiple organizations began receiving extortion emails purporting to be from the Cl0p ransomware and extortion group. The emails, which were aimed at Oracle E-Business Suite (EBS) customers, claimed that Cl0p had "recently breached your Oracle E-Business Suite application and copied a lot of documents." While threat intel practitioners were initially uncertain whether the extortion emails were coming from Cl0p vs. from an impersonator, Cl0p confirmed to Bleeping Computer on October 1 that they were involved in the campaign.

On October 2, Oracle released a brief statement noting that some Oracle EBS customers had received extortion emails, and that an ongoing investigation had "found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update."

A day later, however, on Friday, October 3, a rival threat group called ShinyHunters posted a profanity-laced tirade against Cl0p alongside what they claimed was the exploit Cl0p had used to gain access to Oracle EBS data. Late the evening of Saturday, October 4, Oracle released a revised statement pointing to a net-new zero-day vulnerability discovered during their investigation. The ShinyHunters exploit is directly referenced in the IOCs Oracle released in the zero-day advisory.

The zero-day vulnerability, CVE-2025-61882, resides in the BI Publisher Integration component of Oracle Concurrent Processing, which is part of Oracle EBS. No vulnerability root cause was specified in the advisory, but Oracle's guidance does say the vulnerability is remotely exploitable without authentication and can result in remote code execution. CVE-2025-61882 carries a CVSS score of 9.8. Combined with IOCs pointing to the ShinyHunters exploit, the revised Oracle statement appears to confirm that CVE-2025-61882 was used in the Cl0p-attributed campaign.

CVE-2025-61882 Exploit Observations

It's currently unknown whether other threat groups have already deployed the exploit for their own ends, but defenders should note that anyone who was following the ShinyHunters saga already has direct access to the full exploit. In other words, broader exploitation is likely if not inevitable.

As of October 6, FOFA showed a little more than 5,000 Oracle EBS login pages exposed to the public internet; Censys shows roughly half that.

VulnCheck's research team has tested the exploit against a vulnerable version of Oracle EBS and was able to reproduce the attack and confirm the IOCs match those in Oracle's advisory on CVE-2025-61882. Network signatures, ASM queries, and a PCAP for this vulnerability are available to VulnCheck Initial Access Intelligence customers. CVE-2025-61882 has also been added to VulnCheck KEV.

Remediation

CVE-2025-61882 affects supported versions 12.2.3 - 12.2.14 of Oracle E-Business Suite. Unsupported versions may also be vulnerable. Oracle EBS customers should immediately apply the vendor-supplied patch and hunt for the presence of any IOCs in the Oracle advisory.

As always, patching alone does not eradicate prior compromise.

About VulnCheck

The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and exploit. For more research like this, see CVE-2025-10035: Critical Vulnerability in Fortra GoAnywhere MFT, Command Injection in Jenkins via Git Parameter (CVE-2025-53652), and Still Up, Still Evil: A Look at Attacker Infrastructure Longevity.

title: Oracle E-Business Suite CVE-2025-61882 Exploited in Extortion Attacks description: A new Oracle E-Business Suite zero-day vulnerability is being linked to a Cl0p extortion campaign that exfiltrated EBS data from Oracle customer environments author: name: Caitlin Condon link: https://www.linkedin.com/in/ccondon/ avatar: /team/caitlin-condon.jpg linkName: "" tags:

cve
initial-access date: 2025-10-06 type: blog

Cl0p, a prolific ransomware and extortion threat group, confirmed that they were behind a large-scale extortion campaign targeting Oracle E-Business Suite (EBS) customers that appears to have begun September 29.
Oracle initially made a statement indicating that one or more vulnerabilities patched in July 2025 were potentially exploited; they later published CVE-2025-61882, a net-new zero-day vulnerability linked to the attack.
A rival threat group posted what they said was the exploit Cl0p had used to gain access to Oracle EBS data. VulnCheck and others have confirmed this exploit is legitimate.
Signatures, ASM queries, and a PCAP for CVE-2025-61882 are available to VulnCheck initial access intelligence customers. CVE-2025-61882 has been added to VulnCheck KEV.

Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.