The Cl0p ransomware group is actively exploiting a zero-day vulnerability identified in Oracle E-Business Suite. The vulnerability is monitored as CVE-2025-61882 and was assigned a CVSS base score of 9.8. The vulnerability is found in Oracle’s Concurrent Processing product in the BI Publisher Integration component, which is included in the Oracle E-Business Suite. An unauthenticated attacker can exploit the vulnerability remotely, resulting in remote code execution. The attacker can exploit the vulnerability through network access using HTTP and compromise the Oracle Concurrent Processing.
Mandiant and Google’s Threat Intelligence Group first cautioned about attacks taking advantage of the vulnerability on October 2, 2025. That was when companies started getting ransom payment demands from the Cl0p threat group. Oracle posted a security notification regarding the vulnerability on October 4, 2025, and launched a patch to correct the vulnerability. CrowdStrike is convinced that Graceful Spider, another threat group, is exploiting the vulnerability.
Graceful Spider is a threat group linked to Russia found to perform attacks together with the Cl0p group. Since August 9, 2025, the vulnerability has been exploited in the wild. The threat group, Scattered LAPSUS$ Hunters, published a proof-of-concept exploit for the vulnerability. The threat intelligence company WatchTowr has reported that the PoC exploit is true. Considering that legit exploit code is available in the public domain, it is likely that several threat groups are currently taking advantage of the vulnerability. WatchTowr states that the exploit chain uses five bugs to reach pre-authentication remote code execution, which includes a few that Oracle patched during the Critical Patch Update in July 2025. WatchTowr mentioned that the exploit shows a high degree of skill and work.
The vulnerability impacts Oracle E-Business Suite versions 12.2.3 to 12.2.14, and can also be found in old, unsupported versions. Any company that uses Oracle E-Business Suite that is open online is vulnerable, and considering that the attempts of mass exploitation were continuing for over a month, there is a possibility that vulnerability exploitation already occurred, though the Cl0p group has not reached out to ask for ransom payment. According to the cybersecurity company Resecurity, Cl0p is trying to communicate with victims using breached business email accounts and newly enrolled accounts.
Oracle E-Business Suite users must adhere to the suggestions in the Oracle security advisory and make sure that they update their programs to a supported version and use the most recent update. The update requires the application of Oracle’s October 2023 Critical Patch Update before patching the CVE-2025-61882 vulnerability. After implementing the patch, Oracle E-Business Suite users must search for indicators of compromise to find out whether the vulnerability was already exploited. The IoCs were provided in the Oracle security advisory. For HIPAA-covered entities, paying attention to these security advisories is also necessary.
Image credit: Maguy, AdobeStock / logo©Oracle
