Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that has been exploited in a recent wave of Cl0p data theft attacks. The flaw is tracked as CVE-2025-61882 and is assigned a CVSS score of 9.8.
Oracle told customers the vulnerability affects the Concurrent Processing component and can be exploited by an unauthenticated attacker with network access over HTTP to gain control. In an advisory Oracle said “This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” and warned that “If successfully exploited, this vulnerability may result in remote code execution.”
Oracle’s Chief Security Officer Rob Duhart said the company has released fixes for CVE-2025-61882 to “provide updates against additional potential exploitation that were discovered during our investigation.”
The article listed indicators of compromise (IoCs) it said were shared by the technology, including IP addresses 200.107.207[.]26 and 185.181.60[.]11, a shell command string to establish an outbound TCP connection, and three file artifacts: oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip, oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py and oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py. These indicators suggested possible involvement of the Scattered LAPSUS$ Hunters group.
News of the zero-day came days after reports of a new campaign likely undertaken by the Cl0p ransomware group targeting Oracle E-Business Suite. Mandiant, now part of Google, described the activity as a “high-volume email campaign,” and Charles Carmakal, CTO of Mandiant at Google Cloud, said in a post that “Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025” and that “multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle’s July 2025 update as well as one that was patched this weekend (CVE-2025-61882).”
Carmakal warned organisations should examine whether they were already compromised irrespective of when the patch is applied.