Pierluigi Paganini
October 14, 2025
Oracle released an emergency patch to address an information disclosure flaw, tracked as CVE-2025-61884 (CVSS Score of 7.5), in E-Business Suite’s Runtime UI component (versions 12.2.3–12.2.14).
“Oracle has just released Security Alert CVE-2025-61884. This vulnerability affects some deployments of Oracle E-Business Suite.” wrote Rob Duhart, Oracle’s Chief Security Officer. “This vulnerability has received a CVSS Base Score of 7.5. If successfully exploited, this vulnerability may allow access to sensitive resources. “
The vulnerability can be exploited remotely by unauthenticated attackers to steal sensitive data, prompting Oracle to issue an urgent security update.
“This Security Alert addresses vulnerability CVE-2025-61884 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources.” reads the advisory. “Oracle strongly recommends that customers apply the updates or mitigations provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay.”
Oracle did not reveal if the vulnerability CVE-2025-61884 has been exploited in attacks in the wild or it is linked to the recently patched CVE-2025-61882. Admins are urged to apply the out-of-band patch immediately to prevent potential exploitation.
Last week, Google Threat Intelligence and Mandiant analyzed the Oracle E-Business Suite extortion campaign, revealing the use of malware. Attackers exploited July-patched EBS flaws and likely a zero-day (CVE-2025-61882), sending extortion emails to company executives.
In early October, Google Mandiant and Google Threat Intelligence Group (GTIG) researchers tracked a suspected Cl0p ransomware group’s activity, where threat actors were attempting to extort executives with claims of stealing Oracle E-Business Suite data.
Attackers likely hacked user emails and exploited Oracle E-Business Suite’s default password reset to steal valid credentials, reported cybersecurity firm Halycon.
An email in the extortion notes ties to a Cl0p affiliate and includes Cl0p site contacts, but Google lacks the proof to confirm the attackers’ claims.
Mandiant’s CTO Charles Carmakal said attackers use hundreds of hacked accounts in a mass extortion campaign. At least one account links to the financially motivated hacker group FIN11.
Oracle released an emergency patch to address a critical vulnerability, tracked as CVE-2025-61882 (CVSS 9.8) in its E-Business Suite. The flaw was exploited by the Cl0p ransomware group in data theft attacks. Unauthenticated remote attackers can exploit the flaw to take control of the Oracle Concurrent Processing component.
CVE-2025-61882 affects Oracle E-Business Suite 12.2.3–12.2.14 (BI Publisher Integration), experts warn it is easily exploitable via HTTP.
CrowdStrike researchers attributed with moderate confidence the exploitation of Oracle E-Business Suite flaw CVE-2025-61882 (CVSS 9.8) to the Cl0p group, also known as Graceful Spider.
CrowdStrike warned that the disclosure of a POC on October 3 and Oracle’s CVE-2025-61882 patch will almost certainly spur threat actors, especially those familiar with Oracle EBS, to develop weaponized POCs and target Internet-exposed EBS instances.
On September 29, 2025 the Cl0p group emailed organizations claiming Oracle EBS data theft. On October 3, a Telegram channel tied to Scattered Spider, Slippy Spider (Lapsus$) and ShinyHunters posted a purported Oracle EBS exploit and criticized the Cl0p group. Origin and reuse are unclear, however Oracle published the POC as an IOC and it aligns with observed servlet-based exploitation.
CrowdStrike found that exploitation of CVE-2025-61882 began on August 9, with signs of earlier activity on July 10, just before Oracle’s July patches. GTIG and Mandiant suggest this may have been an initial exploit attempt. Google’s analysis shows attackers used a malicious template in vulnerable Oracle EBS databases, which stored a payload activated in the final stage of the attack chain.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, E-Business Suite)
