Cl0p Mass Exploiting Zero-day Vulnerability in Oracle E-Business Suite
A zero-day vulnerability in Oracle E-Business Suite is under active exploitation by the Cl0p ransomware group. The vulnerability is tracked as CVE-2025-61882 and has a CVSS base score of 9.8 out of 10. The flaw is present in the BI Publisher Integration component of Oracle’s Concurrent Processing product within the Oracle E-Business suite, and can be exploited remotely by an unauthenticated attacker, leading to remote code execution. The vulnerability can be exploited by an unauthenticated attacker with network access via HTTP and will allow Oracle Concurrent Processing to be compromised.
Google’s Threat Intelligence Group and Mandiant first warned about attacks exploiting the vulnerability on October 2, 2025, when organizations started reporting that they had received demands for payment from the Cl0p threat group. Oracle published a security advisory about the vulnerability on October 4, 2025, and released a patch to fix the flaw. CrowdStrike believes with moderate confidence that a threat group tracked as Graceful Spider is mass exploiting the vulnerability.
Graceful Spider is a Russia-linked threat group known to conduct attacks with the Cl0p group. The vulnerability has been exploited in the wild since at least August 9, 2025, and a proof-of-concept exploit for the vulnerability has been published by the threat group Scattered LAPSUS$ Hunters. The threat intelligence firm WatchTowr has confirmed that the PoC exploit is real. Since valid exploit code is in the public domain, it is possible that multiple threat groups are now exploiting the vulnerability. WatchTowr reports that the exploit chain involves five separate bugs to achieve pre-authentication remote code execution, including some that were patched by Oracle in its July 2025 Critical Patch Update. WatchTowr explained that the exploit demonstrates a high level of skill and effort.
The vulnerability affects Oracle E-Business Suite versions 12.2.3 to 12.2.14, and may also exist in older, unsupported versions. Any organization that has Oracle E-Business Suite exposed to the internet is at risk, and given that the mass exploitation attempts have been ongoing for more than a month, there is a risk that the vulnerability has already been exploited and that the Cl0p group has yet to reach out to demand payment. According to the cybersecurity firm Resecurity, Cl0p has been reaching out to victims via compromised business email accounts and newly registered accounts.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Users of Oracle E-Business Suite should follow the advice in the Oracle security alert and ensure that they upgrade to a supported version and install the latest update. The update requires Oracle’s October 2023 Critical Patch Update to be applied before the patch for the CVE-2025-61882 vulnerability is applied. After applying the patch, Oracle E-Business Suite users should look for indicators of compromise to determine if the vulnerability has already been exploited. The IoCs have been shared in the above-linked Oracle security alert.
