Additionally, a major cybersecurity risk has appeared during the pandemic. The ransomware threat actor purportedly tied to Cl0p, or Graceful Spider, is currently taking advantage of a recently discovered vulnerability in Oracle E-Business Suite (EBS). This newly discovered security vulnerability CVE-2025-61882 is critical. Specifically, it allows remote code execution without requiring any authentication, thereby making it especially dangerous. The earliest known exploit for this vulnerability was confirmed on August 9th, 2025.
Just yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2025-61882 in its roster of Known Exploited Vulnerabilities (KEV). This move emphasizes how critical it is to act on the state of things. This vulnerability has been given the highest Critical Vulnerability Score (CVSS) of 9.8. Consequently, it makes the list as one of the worst security threats to Oracle EBS customers. Federal agencies have been urged to make these corrections no later than October 27, 2025, to avoid further harm.
The Exploitation Landscape
Cl0p’s activities around CVE-2025-61882 are part of the broader use of sophisticated ransomware campaigns to support data exfiltration. This group is widely suspected to have had the exploit for some time, using it for nefarious purposes to remotely commandeer vulnerable systems. Security researchers from WatchTowr Labs noted that “the chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution.” That’s a clear sign that the attackers are using advanced tactics to breach environments.
Jake Knott, principal security researcher at WatchTowr, further elaborated on Cl0p’s ongoing exploits: “Cl0p has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims, and has been sending extortion emails to some of those victims since last Monday.” The ramifications of these actions are profound, impacting hundreds of enterprises that continue to operate on Oracle EBS for their mission critical needs.
Threat intelligence expert Christiaan Beek from Rapid7 commented on the nature of the activity: “Based on the evidence, we believe this is Cl0p activity, and we fully expect to see mass, indiscriminate exploitation from multiple groups within days. If you operate Oracle EBS, consider this your red alert. Patch it now, threat hunt hard, and harden your controls — quick. This declaration highlights the extreme level of urgency associated with the vulnerability.
Implications for Organizations
For organizations still using Oracle EBS, an immediate and serious crisis is at hand, with exploitation of the known CVE-2025-61882 still ongoing. Because of this vulnerability’s unique attributes and what Cl0p is capable of, businesses need to move quickly to mitigate exposure of sensitive data. The risk of data breaches and ransomware attacks is increased, creating an urgency for corporations to adopt strong cybersecurity practices.
This process not only gives the attacker frame control, but enables the reuse of the connection to target more requests. This added layer of obfuscation improves reliability and decreases transparency, making spotting them all the more difficult for security teams. As such, organizations are encouraged to do more than just patch, but increase their monitoring and incident response capabilities.
Christiaan Beek shared insights about the interactions between various threat actors: “The way they call out Cl0p and the language used doesn’t appear to represent a ‘friendship’ between partners in crime. It does look like one of the Scattered Spider LAPSUS$ Hunters ‘members‘ shared this vulnerability with Cl0p.” This example serves to highlight how sophisticated the nature of cybercriminal partnerships have become and just how much the threat landscape has evolved.
Moving Forward
While the public health emergency continues to unfold, nonprofits must be on guard with the backdrop of these predatory cyber operations. We called upon experts to help us develop robust cybersecurity protocols. That means deploying system updates on a regular basis, training users to identify phishing attempts, and adopting multi-factor authentication solutions wherever feasible.
In addition to strict policies, organizations should implement monitoring communications on their networks external for signs of exploitation or data exfiltration. The risk of multiple threat actors being able to take advantage of CVE-2025-61882 means that all Oracle EBS users need to act immediately.