Particle.news
Download on the App Store

Oracle Rushes Fix as Cl0p’s Exploitation of E‑Business Suite Zero‑Day Dates to August

A leaked exploit has heightened the risk of rapid follow‑on attacks according to government warnings.

Overview

  • Oracle issued an emergency patch on October 4 for CVE-2025-61882, a CVSS 9.8 flaw in the BI Publisher Integration of Oracle Concurrent Processing that enables unauthenticated remote code execution over HTTP on E-Business Suite versions 12.2.3–12.2.14.
  • Mandiant and CrowdStrike report that Cl0p used multiple Oracle EBS bugs, including this zero-day, to steal data from several organizations since at least August 9 before launching extortion emails in late September.
  • Oracle published indicators of compromise including two IPs, a reverse-shell command, and hashes tied to a Telegram-leaked archive attributed to “Scattered Lapsus$ Hunters,” which researchers verified as a working exploit.
  • CISA added the flaw to its Known Exploited Vulnerabilities catalog as the FBI labeled it an emergency, and the UK NCSC and Singapore’s CSA urged immediate patching, compromise assessments, and aggressive threat hunting.
  • WatchTowr’s analysis describes a chain of at least five bugs that achieves pre-authentication code execution via a single request, while Censys and Shadowserver observed hundreds to thousands of internet-exposed EBS instances still at risk.