Oracle patches E-Business suite targeted by Cl0p ransomware

Oracle pushes a patch for a dangerous zero-day under active exploitation by one of the most notorious ransomware gangs around

Alex Scroxton

Alex Scroxton,
Security Editor

Published: 06 Oct 2025 17:41

Oracle has issued a fix for a critical remote code execution (RCE) vulnerability in its E-Business Suite (EBS), as the well-used enterprise resource planning (ERP) software package emerges as the latest vector for mass Cl0p (aka Clop) ransomware attacks.

The Oracle EBS ecosystem is deeply embedded in enterprise financial and operational systems, which offers hackers access to a wide range of high-value targets and potentially extreme impacts.

The flaw in question, CVE-20225-61882, is present in versions 1.2.2.3 through 12.2.14 of EBS, and affects a concurrent task processing component that enables users to run multiple processes simultaneously.

Rated 9.8 on the CVSS scale, it is considered relatively easy to take advantage of. Importantly, an unauthenticated attacker can exploit it over the network without any user interaction needed, leading to RCE.

The Oracle EBS ecosystem, often deeply embedded in financial and operational systems, offers high-value targets with far-reaching business impact.

“Oracle always recommends that customers remain on actively supported versions and apply all Security Alerts and Critical Patch Update security patches without delay,” the supplier said. “Note that the October 2023 Critical Patch Update is a prerequisite for application of the updates in this Security Alert.”

In its advisory notice, Oracle shared a number of indicators of compromise that appeared to link exploitation of CVE-2025-61882 to both the Cl0p ransomware crew and the Scattered Lapsus$ Hunters collective – which is not necessarily implausible as Scattered Spider has been known to act as a ransomware affiliate in the past.

Jake Knott, principal security researcher at watchTowr, said that exploitation of EBS appeared to date back to August 2025, and warned that as of Monday 6 October, exploit code for CVE-2025-61882 was publicly available.

“At first glance, it looked reasonably complex and required real effort to reproduce manually,” he said. “But now, with working exploit code leaked, that barrier to entry is gone. It’s likely that almost no one patched over the weekend. So we’re waking up to a critical vulnerability with public exploit code and unpatched systems everywhere.

“We fully expect to see mass, indiscriminate exploitation from multiple groups within days,” said Knott. “If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls, fast.”

Writing on LinkedIn, Charles Carmakal, chief technical officer and board advisor at Google Cloud’s Mandiant, confirmed this, saying that Cl0p had almost certainly exploited multiple other EBS vulnerabilities – including some that were patched a couple of months ago – as well. The gang has supposedly been contacting victims since early last week, but Carmakal added that it may have not made contact with all of them just yet.

Cl0p’s warning from history

As seen in 2023, when it successfully targeted a flaw in Progress Software’s MOVEit managed file transfer software product to extort potentially hundreds of victims, the Cl0p gang makes a habit of conducting mass exploitation activities against multiple downstream organisations through widely-used software packages. The mass targeting of Oracle EBS now being seen does fit this established modus operandi.

Historically, Cl0p’s activity comes in short, high-profile bursts in-between lengthy periods of downtime – likely due to the administrative burden its mass-attacks create – and Kroll managing director of cyber and data resilience, Max Henderson, had been among those warning for some weeks that the gang looked likely to resurface. He told Computer Weekly that others may follow, and described “grim” impacts.

“There should be an urgent rush for victims and users of Oracle to patch this, as continued attacks or attacks from other groups may continue,” he said. “We expect a long tail of self-identifying victims with this situation, as many victims are unaware of extortion emails sitting in their junk folders.”