The IT Nerd

Oracle has warned of a critical zero-day vulnerability, with a CVSS base score of 9.8, in its E-Business Suite (CVE-2025-61882) that is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution. Chances are that this is how the Cl0p ransomware gang was able to launch their latest campaign.

Ensar Seker, CISO at SOCRadar, commented:

“The exploitation of CVE-2025-61882 by the Clop ransomware group reinforces a hard truth security leaders continue to wrestle with: legacy enterprise software with sprawling configurations like Oracle E-Business Suite (EBS) remains a ripe target for modern ransomware operators. This vulnerability, rated 9.8 CVSS, allows unauthenticated remote code execution and is being actively exploited in the wild, making it one of the most dangerous types of flaws we see in enterprise environments. What makes this case particularly alarming is that the attack chain appears to span multiple vulnerabilities across different patch cycles, including one disclosed only days ago. Clop is clearly operating with a highly proactive exploitation model, monitoring Oracle patches and working quickly to reverse-engineer the flaws for immediate weaponization.

“The fact that proof-of-concept (PoC) code was circulating on Telegram and used in real-world data exfiltration attacks just weeks after patch release underscores how rapidly threat actors are moving to capitalize on enterprise inertia. This incident also highlights a serious procedural gap in many organizations: the critical patches for Oracle EBS can only be applied if the previous quarterly update (in this case, October 2023) is already in place. That creates an unintended but dangerous bottleneck where even security-conscious teams can find themselves exposed simply because they’re one patch cycle behind.

“Clop’s focus on Oracle EBS is no accident. These systems often house sensitive financial, HR, and operational data, and because they’re deeply integrated into business workflows, they’re notoriously difficult to update without risking downtime. That’s exactly the kind of environment threat actors love: high-value, low-change.

“Security teams should act immediately to verify patch levels and apply the latest fixes, but this needs to go beyond a break-fix mindset. Organizations must rethink their patch readiness processes for ERP-class systems, including pre-staging test environments, reducing configuration drift, and tightening external access to legacy interfaces like BI Publisher and Concurrent Processing.

“In parallel, defenders should hunt for indicators of compromise shared by Oracle and Mandiant and conduct forensic reviews of EBS systems for unusual BI Publisher activity, unauthorized concurrent jobs, or unexplained external network connections.

This is another case where visibility and segmentation matter. Oracle EBS should never be directly internet-exposed, and authentication should be enforced at all layers, even where Oracle’s native security falls short.

“Ultimately, the Clop campaign against Oracle EBS is a wake-up call that ransomware actors are not just opportunistic. They are increasingly strategic, surgical, and tuned into vendor ecosystems. Defenders must be equally proactive in hardening the software foundations that underpin their critical operations.”

SOCRadar posted a really good analysis of this here and it is totally worth your time to read. In the meantime, this is not a good look for Oracle. I wonder what they have to say about it?

UPDATE:  Adrian Culley, Senior Sales Engineer at SafeBreach adds this insight:

“The Cl0p extortion gang is combined under ‘The Com,’ which is a loose collective of hackers that includes individuals from Lapsus$ and Scattered Spider. The Com—short for ‘The Community’—is a fluid, international collective of mostly young, English-speaking individuals. Crucially, they’re not motivated by politics or ideology—their drivers appear to be purely money and ego. They thrive on notoriety, loudly bragging about their exploits on platforms like Telegram, which pushes members toward more brazen, high-profile attacks. While they are clearly very skilled, their precociousness leaves them highly vulnerable to nation state infiltration and manipulation.

The group’s roots begin with LAPSUS$ in 2021 and 2022, when they demonstrated just how devastating social engineering could be against giants like Microsoft, Nvidia, and Okta. But their work was somewhat erratic, and they often focused on chaos and notoriety.

Scattered Spider took that playbook and professionalized it, moving from chaotic data theft to financially devastating ransomware campaigns. They have been able to master the initial access problem with their native English skills and mastery of social engineering.

The Com, which has evolved out of these two groups, relies heavily on voice phishing as their most effective TTP to get past multi-factor authentication. The group uses highly ephemeral IOCs. The phishing domains they use are often active for less than seven days. This means that organizations relying on a purely reactive security posture—for example, blocklisting known IPs or domains—are often behind the curve.

The latest threat that has come to light with the Oracle e-business suite is a critical, 9.8-rated CVE. Organizations should patch immediately and then begin to shift from testing code to testing policy and procedure. BAS and AEV tools can help organizations focus on validating the Human Firewall.

BAS can simulate the reconnaissance phase, testing whether employees overshare PII online that an attacker could use to build a convincing persona. It can also continuously push bomb an organization’s MFA solution to measure the Mean Time to Detect and block the attack before a frustrated user approves the request.

An AEV platform can help confirm that an organization’s help desk is uncompromisable. Are they enforcing policies like a vocal password or two-employee approval for privileged account resets, even when the supposed caller provides all the PII they should know? Finally, AEV must continuously test an organization’s IAM posture, ensuring they can detect and immediately flag actions like a compromised admin creating malicious cloud instances or forging SAML tokens for persistence.”