{"id":876641,"date":"2025-10-10T00:17:15","date_gmt":"2025-10-10T05:17:15","guid":{"rendered":"https:\/\/newsycanuse.com\/index.php\/2025\/10\/10\/oracle-patches-e-business-suite-targeted-by-cl0p-ransomware\/"},"modified":"2025-10-10T00:17:15","modified_gmt":"2025-10-10T05:17:15","slug":"oracle-patches-e-business-suite-targeted-by-cl0p-ransomware","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2025\/10\/10\/oracle-patches-e-business-suite-targeted-by-cl0p-ransomware\/","title":{"rendered":"Oracle patches E-Business suite targeted by Cl0p ransomware"},"content":{"rendered":"<div id=\"content-header\">\n<h2>Oracle pushes a patch for a dangerous zero-day under active exploitation by one of the most notorious ransomware gangs around<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>06 Oct 2025 17:41<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Oracle has issued a fix for a critical remote code execution (RCE) vulnerability in its <a href=\"https:\/\/www.oracle.com\/applications\/ebusiness\/\" target=\"_blank\" rel=\"noopener\">E-Business Suite<\/a> (EBS), as the well-used enterprise resource planning (ERP) software package emerges as the latest vector for mass Cl0p (aka Clop) ransomware attacks.<\/p>\n<p>The Oracle EBS ecosystem is deeply embedded in enterprise financial and operational systems, which offers hackers access to a wide range of high-value targets and potentially extreme impacts.<\/p>\n<p>The flaw in question, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-61882\" target=\"_blank\" rel=\"noopener\">CVE-20225-61882<\/a>, is present in versions 1.2.2.3 through 12.2.14 of EBS, and affects a concurrent task processing component that enables users to run multiple processes simultaneously.<\/p>\n<p>Rated 9.8 on the CVSS scale, it is considered relatively easy to take advantage of. Importantly, an unauthenticated attacker can exploit it over the network without any user interaction needed, leading to RCE.<\/p>\n<p>The Oracle EBS ecosystem, often deeply embedded in financial and operational systems, offers high-value targets with far-reaching business impact.<\/p>\n<p>\u201cOracle always recommends that customers remain on actively supported versions and apply all Security Alerts and Critical Patch Update security patches without delay,\u201d the supplier said. \u201cNote that the October 2023 Critical Patch Update is a prerequisite for application of the updates in this Security Alert.\u201d<\/p>\n<p><a href=\"https:\/\/www.oracle.com\/security-alerts\/alert-cve-2025-61882.html\" target=\"_blank\" rel=\"noopener\">In its advisory notice<\/a>, Oracle shared a number of indicators of compromise that appeared to link exploitation of CVE-2025-61882 to both the Cl0p ransomware crew and the Scattered Lapsus$ Hunters collective \u2013 which is not necessarily implausible as Scattered Spider has been known to act as a ransomware affiliate in the past.<\/p>\n<p>Jake Knott, principal security researcher at\u00a0<a title=\"https:\/\/watchtowr.com\/\" href=\"https:\/\/watchtowr.com\/\" target=\"_blank\" rel=\"noopener\">watchTowr<\/a>, said that exploitation of EBS appeared to date back to August 2025, and warned that as of Monday 6 October, exploit code for CVE-2025-61882 was publicly available<i>.<\/i><\/p>\n<p>\u201cAt first glance, it looked reasonably complex and required real effort to reproduce manually,\u201d he said. \u201cBut now, with working exploit code leaked, that barrier to entry is gone. It\u2019s likely that almost no one patched over the weekend. So we\u2019re waking up to a critical vulnerability with public exploit code and unpatched systems everywhere.<\/p>\n<p>\u201cWe fully expect to see mass, indiscriminate exploitation from multiple groups within days,\u201d said Knott. \u201cIf you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls, fast.\u201d<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7380595612443893760\/\" target=\"_blank\" rel=\"noopener\">Writing on LinkedIn<\/a>, Charles Carmakal, chief technical officer and board advisor at <a href=\"https:\/\/www.mandiant.com\/\" target=\"_blank\" rel=\"noopener\">Google Cloud\u2019s Mandiant<\/a>, confirmed this, saying that Cl0p had almost certainly exploited multiple other EBS vulnerabilities \u2013 including some that were patched a couple of months ago \u2013 as well. The gang has supposedly been contacting victims since early last week, but Carmakal added that it may have not made contact with all of them just yet.<\/p>\n<section data-menu-title=\"Cl0p\u2019s warning from history\">\n<h2><i data-icon=\"1\"><\/i>Cl0p\u2019s warning from history<\/h2>\n<p>As seen in 2023, when it successfully <a href=\"https:\/\/www.computerweekly.com\/news\/366615522\/More-data-stolen-in-2023-MOVEit-attacks-comes-to-light\" target=\"_blank\" rel=\"noopener\">targeted a flaw in Progress Software\u2019s MOVEit<\/a> managed file transfer software product to extort potentially hundreds of victims, the Cl0p gang makes a habit of conducting mass exploitation activities against multiple downstream organisations through widely-used software packages. The mass targeting of Oracle EBS now being seen does fit this established modus operandi.<\/p>\n<p>Historically, Cl0p\u2019s activity comes in short, high-profile bursts in-between lengthy periods of downtime \u2013 likely due to the administrative burden its mass-attacks create \u2013 and <a href=\"https:\/\/www.kroll.com\/en\">Kroll<\/a> managing director of cyber and data resilience, Max Henderson, had been among those warning for some weeks that the gang looked likely to resurface. He told Computer Weekly that others may follow, and described \u201cgrim\u201d impacts.\u00a0<\/p>\n<p>\u201cThere should be an urgent rush for victims and users of Oracle to patch this, as continued attacks or attacks from other groups may continue,\u201d he said. \u201cWe expect a long tail of self-identifying victims with this situation, as many victims are unaware of extortion emails sitting in their junk folders.\u201d<\/p>\n<\/section>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/366621086\/Clop-resurgence-drives-ransomware-attacks-in-February\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/visuals\/German\/article\/malware-ransomware-danger-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/www.computerweekly.com\/visuals\/German\/article\/malware-ransomware-danger-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/www.computerweekly.com\/visuals\/German\/article\/malware-ransomware-danger-adobe.jpg 1280w\" alt ><\/p>\n<h5>Clop resurgence drives ransomware attacks in February<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/366615480\/Zero-day-exploits-increasingly-sought-out-by-attackers\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/visuals\/ComputerWeekly\/Hero Images\/security-Log4Shell-Log4j2-Apache-AndreasPrott-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/www.computerweekly.com\/visuals\/ComputerWeekly\/Hero%20Images\/security-Log4Shell-Log4j2-Apache-AndreasPrott-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/www.computerweekly.com\/visuals\/ComputerWeekly\/Hero%20Images\/security-Log4Shell-Log4j2-Apache-AndreasPrott-adobe.jpg 1280w\" alt ><\/p>\n<h5>Zero-day exploits increasingly sought out by attackers<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.computerweekly.com\/news\/366615522\/More-data-stolen-in-2023-MOVEit-attacks-comes-to-light\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/visuals\/German\/article\/data-leak-breach-2-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/www.computerweekly.com\/visuals\/German\/article\/data-leak-breach-2-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/www.computerweekly.com\/visuals\/German\/article\/data-leak-breach-2-adobe.jpg 1280w\" alt ><\/p>\n<h5>More data stolen in 2023 MOVEit attacks comes to light<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/366593674\/Ransomware-gangs-increasingly-exploiting-vulnerabilities\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/rms\/onlineimages\/ransom_g886701618_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/www.computerweekly.com\/rms\/onlineimages\/ransom_g886701618_searchsitetablet_520X173.jpg 960w,https:\/\/www.computerweekly.com\/rms\/onlineimages\/ransom_g886701618.jpg 1280w\" alt ><\/p>\n<h5>Ransomware gangs increasingly exploiting vulnerabilities<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/rms\/onlineimages\/waldman_arielle.jpg\" alt=\"ArielleWaldman\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Arielle\u00a0Waldman<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p> Thomas Serna <br \/><a href=\"https:\/\/www.computerweekly.com\/news\/366632397\/Oracle-patches-E-Business-suite-targeted-by-Cl0p-ransomware\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Oracle pushes a patch for a dangerous zero-day under active exploitation by one of the most notorious ransomware gangs around By Alex Scroxton, Security Editor Published: 06 Oct 2025 17:41 Oracle has issued a fix for a critical remote code execution (RCE) vulnerability in its E-Business Suite (EBS), as the well-used enterprise resource planning (ERP)<\/p>\n","protected":false},"author":1,"featured_media":876642,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[278,22292],"tags":[7641,122737],"class_list":{"0":"post-876641","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-oracle","8":"category-patches","9":"tag-oracle","10":"tag-patches"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/876641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=876641"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/876641\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/876642"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=876641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=876641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=876641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}