Oracle has quickly rolled out an emergency patch to fix a critical security flaw in its E-Business Suite application. The C1op ransomware syndicate has especially taken advantage of this severe vulnerability, listed under CVE-2025-61882. These attacks have resulted in some of the largest data breach occurrences in U.S. history. With a high Common Vulnerability Scoring System (CVSS) score of 9.8, this vulnerability poses a serious risk to organizations using Oracle’s software.
The vulnerability is an unspecified bug in the Oracle E-Business Suite software. CISA’s alert goes on to describe it, saying that an unauthenticated attacker with network access via HTTP could use this bug. This may ultimately result in downgrading and seizing control of the Oracle Concurrent Processing component. This troubling progression presents both security and liability issues to the end-user and operator of the software.
Details on the Exploit
Oracle’s CVE-2025-61882 advisory warns that an attack containing this vulnerability could lead to “complete compromise of the application and underlying database.” If successfully exploited, the flaw could result in remote code execution, enabling attackers to execute more malicious commands on vulnerable systems. Oracle emphasized that this vulnerability is remotely exploitable without authentication, meaning it can be targeted over a network without requiring a username or password.
The Cl0p ransomware group has kicked off a new campaign that has started targeting the higher education sector. They are shocking by going after vulnerabilities in Oracle E-Business Suite. Timeline In August 2025, Cl0p took advantage of seven different vulnerabilities. This, in turn, drove the theft of enormous quantities of sensitive data from a diverse set of victims.
“Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025,” – Charles Carmakal
Indicators of Compromise
To help organizations detect proof of exploit, Oracle has released IoCs related to this vulnerability. These include specific IP addresses: 200.107.207.26 and 185.181.60.11, which have been identified as sources of malicious activity. Furthermore, potential GET and POST activity have been reported from these IP addresses.
Other IoCs shared by Oracle include specific files such as “oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip,” “exp.py,” and “server.py.” These files seem to be tied to the Scattered LAPSUS$ Hunters group, presumably playing a role in carrying out the exploit.
Recommendations for Organizations
Due to the critical nature of this vulnerability and its active exploitation in the wild, we are recommending organizations take immediate action. Oracle recommends that companies not assume they haven’t already been breached, even after applying a patch.
“Given the broad mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” – Carmakal
This is a dangerous and costly loophole that we need to fix immediately. As it stands, it overtly leaves attackers room to obtain unauthorized access to sensitive systems. Organizations still running Oracle’s E-Business Suite should prioritize the deployment of this emergency patch. They need to watch their systems like a hawk for any signs of compromise.