Oracle has warned of a critical zero-day vulnerability, with a CVSS base score of 9.8, in its E-Business Suite (CVE-2025-61882) that is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution. Chances are that this is how the Cl0p ransomware gang was able to launch their latest campaign.
Ensar Seker, CISO at SOCRadar, commented:
“The exploitation of CVE-2025-61882 by the Clop ransomware group reinforces a hard truth security leaders continue to wrestle with: legacy enterprise software with sprawling configurations like Oracle E-Business Suite (EBS) remains a ripe target for modern ransomware operators. This vulnerability, rated 9.8 CVSS, allows unauthenticated remote code execution and is being actively exploited in the wild, making it one of the most dangerous types of flaws we see in enterprise environments. What makes this case particularly alarming is that the attack chain appears to span multiple vulnerabilities across different patch cycles, including one disclosed only days ago. Clop is clearly operating with a highly proactive exploitation model, monitoring Oracle patches and working quickly to reverse-engineer the flaws for immediate weaponization.
“The fact that proof-of-concept (PoC) code was circulating on Telegram and used in real-world data exfiltration attacks just weeks after patch release underscores how rapidly threat actors are moving to capitalize on enterprise inertia. This incident also highlights a serious procedural gap in many organizations: the critical patches for Oracle EBS can only be applied if the previous quarterly update (in this case, October 2023) is already in place. That creates an unintended but dangerous bottleneck where even security-conscious teams can find themselves exposed simply because they’re one patch cycle behind.
“Clop’s focus on Oracle EBS is no accident. These systems often house sensitive financial, HR, and operational data, and because they’re deeply integrated into business workflows, they’re notoriously difficult to update without risking downtime. That’s exactly the kind of environment threat actors love: high-value, low-change.
“Security teams should act immediately to verify patch levels and apply the latest fixes, but this needs to go beyond a break-fix mindset. Organizations must rethink their patch readiness processes for ERP-class systems, including pre-staging test environments, reducing configuration drift, and tightening external access to legacy interfaces like BI Publisher and Concurrent Processing.
“In parallel, defenders should hunt for indicators of compromise shared by Oracle and Mandiant and conduct forensic reviews of EBS systems for unusual BI Publisher activity, unauthorized concurrent jobs, or unexplained external network connections.
This is another case where visibility and segmentation matter. Oracle EBS should never be directly internet-exposed, and authentication should be enforced at all layers, even where Oracle’s native security falls short.
“Ultimately, the Clop campaign against Oracle EBS is a wake-up call that ransomware actors are not just opportunistic. They are increasingly strategic, surgical, and tuned into vendor ecosystems. Defenders must be equally proactive in hardening the software foundations that underpin their critical operations.”
SOCRadar posted a really good analysis of this here and it is totally worth your time to read. In the meantime, this is not a good look for Oracle. I wonder what they have to say about it?
UPDATE: Adrian Culley, Senior Sales Engineer at SafeBreach adds this insight:
“The Cl0p extortion gang is combined under ‘The Com,’ which is a loose collective of hackers that includes individuals from Lapsus$ and Scattered Spider. The Com—short for ‘The Community’—is a fluid, international collective of mostly young, English-speaking individuals. Crucially, they’re not motivated by politics or ideology—their drivers appear to be purely money and ego. They thrive on notoriety, loudly bragging about their exploits on platforms like Telegram, which pushes members toward more brazen, high-profile attacks. While they are clearly very skilled, their precociousness leaves them highly vulnerable to nation state infiltration and manipulation.
The group’s roots begin with LAPSUS$ in 2021 and 2022, when they demonstrated just how devastating social engineering could be against giants like Microsoft, Nvidia, and Okta. But their work was somewhat erratic, and they often focused on chaos and notoriety.
Scattered Spider took that playbook and professionalized it, moving from chaotic data theft to financially devastating ransomware campaigns. They have been able to master the initial access problem with their native English skills and mastery of social engineering.
The Com, which has evolved out of these two groups, relies heavily on voice phishing as their most effective TTP to get past multi-factor authentication. The group uses highly ephemeral IOCs. The phishing domains they use are often active for less than seven days. This means that organizations relying on a purely reactive security posture—for example, blocklisting known IPs or domains—are often behind the curve.
The latest threat that has come to light with the Oracle e-business suite is a critical, 9.8-rated CVE. Organizations should patch immediately and then begin to shift from testing code to testing policy and procedure. BAS and AEV tools can help organizations focus on validating the Human Firewall.
BAS can simulate the reconnaissance phase, testing whether employees overshare PII online that an attacker could use to build a convincing persona. It can also continuously push bomb an organization’s MFA solution to measure the Mean Time to Detect and block the attack before a frustrated user approves the request.
An AEV platform can help confirm that an organization’s help desk is uncompromisable. Are they enforcing policies like a vocal password or two-employee approval for privileged account resets, even when the supposed caller provides all the PII they should know? Finally, AEV must continuously test an organization’s IAM posture, ensuring they can detect and immediately flag actions like a compromised admin creating malicious cloud instances or forging SAML tokens for persistence.”
Harvard Has Apparently Been Pwned Via The Oracle Vulnerability
Posted in Commentary with tags Hacked, Oracle on October 14, 2025 by itnerdRemember this Oracle vulnerability that is far from trivial? It now has its first confirmed victim outside of Oracle. And unfortunately for Oracle, it’s Harvard. Yes. That Harvard.
The cybercrime group Cl0p is now seemingly reaping the harvest after it successfully exploited a critical zero-day bug in Oracle’s E-Business Suite (EBS). Hundreds of companies and organizations – all Oracle clients – were allegedly compromised.
One of them is apparently Harvard University, which uses EBS for various administrative functions. Now, Cl0P, essentially a digital organized crime ring, has claimed it had stolen data from the prestigious school.
And:
According to Cybernews researchers, Cl0p has shared 1.4TB of data on its leak site. This data originates from Harvard’s servers hosted by Oracle.
The published data includes logs and reports from Harvard’s internal payment system as well as source code for various internal tools. Cybernews research team has analyzed the data and says it includes references that strongly suggest that it was indeed taken from OBS systems.
Anders Askasen, VP of Product Marketing, Radiant Logic had this to say:
“The Harvard breach tied to the Oracle EBS exploitation highlights a recurring truth: complexity is the adversary of security. When identity and data silos persist, visibility evaporates, and the ability to trace who has access to what becomes guesswork. Systems like Oracle EBS sit at the heart of enterprise operations — rich in sensitive HR and financial data, yet notoriously hard to govern across hybrid infrastructures. Resilience begins with a unified identity data foundation and continuous observability that enable organizations to detect exposures in real time, contain and act with precision, and restore confidence through verifiable facts rather than assumptions”
Will Baxter, Field CISO, Team Cymru follows with this comment:
“This threat highlights the importance of egress filtering and monitoring where files are downloaded from. This operation appears to have exploited the vulnerability weeks ahead of patch release, indicating early access or a brokered exploit. Detecting these campaigns early depends on correlating outbound anomalies, C2 beaconing, and shared infrastructure across sectors. The only scalable defense is collective intelligence — connecting enterprise telemetry with trusted partners before the stolen data surfaces publicly.”
Gunter Ollmann, CTO, Cobalt adds this comment:
“This campaign underscores the growing sophistication of financially motivated groups exploiting enterprise software supply chains. The attackers didn’t rely on a single exploit—they combined zero-day vulnerabilities with custom malware to maximize access before detection. It’s another reminder that penetration testing can’t stop at application edges; enterprises must stress-test complex ERP systems as part of their attack surface. Increasingly, the focus must shift toward offensive security services that continuously test not just applications, but also the effectiveness of defense-in-depth systems and SOC teams. Regular, adversarial testing provides the real-world validation organizations need to ensure their layered defenses perform as intended when it matters most.”
Sucks to be Harvard. And it sucks even more to be Oracle who’s senior management have to be reconsidering their life choices at this point. Because they know that there will be more fallout, and the lawsuits that follow that fallout.
Leave a comment »