Updated 14:00 BST to confirm mass exploitation, IOCs published.

Oracle has pushed an emergency patch for a critical pre-auth RCE bug in its E-Business Suite. CVE-2025-61882 is under “mass exploitation” by the Cl0p ransomware group, said Mandiant CTO Charles Carmakal.

The CVSS 9.8 E-Business suite bug affects versions 12.2.3 to 12.2.14. Oracle pushed an out-of-band patch this weekend, publishing IOCs. Over 1,000 instances appear to be publicly exposed, the majority in the US.

The UK’s NCSC warned on Monday that “an unauthenticated attacker can send specially crafted HTTP requests to the affected component resulting in full system compromise. No user interaction is required.”

Bad actors could orchestrate a complete takeover of the Oracle Concurrent Processing component to input code, manipulate or exfiltrate sensitive data, or move laterally through the enterprise. 

Jake Knott, Principal Security Researcher at watchTowr commented: "By Monday morning, exploit code for that same flaw was already public. The attack chains together multiple vulnerabilities — including several patched in July and the one just released on October 4.

"At first glance, it looked reasonably complex and required real effort to reproduce manually. But now, with working exploit code leaked, that barrier to entry is gone. It's likely that almost no one patched over the weekend. So we’re waking up to a critical vulnerability with public exploit code and unpatched systems everywhere."

The attack surface management firm later published a detailed breakdown of the attack chain, noting that it "demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve [pre-auth RCE]."

Weekend warnings to patch fast

Oracle’s CSO Rob Duhart said in a statement on Saturday, “We strongly recommend Oracle E-Business Suite (EBS) customers apply the guidance provided by this Security Alert as soon as possible.”

The zero-day attacks have been linked to the threat group Cl0p, a well-known ransomware-as-a-service group that appears to be extorting and stealing data from Oracle E-Business Suite customers. 

Last week, Google researchers flagged an increase in ransom emails from the Cl0p gang claiming to have information stolen from the Oracle E-Business Suite. 

In a post to LinkedIn on Sunday, Google Mandiant’s CTO Charles Carmakal also connected the rise of extortion emails with Oracle's July patches (over 300 in total), as well as Saturday’s CVE-2025-61882 patch. 

Oracle Security Alert Advisory - CVE-2025-61882 | Charles Carmakal
🚨 CRITICAL ALERT: Mass exploitation of multiple Oracle E-Business Suite (EBS) vulnerabilities, including a 0-day, by Clop for data theft and extortion Here’s what you need to know: 1️⃣ Clop exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victim in August 2025. 2️⃣ Clop is the actor behind prior mass exploitation, data theft, and extortion campaigns impacting customers of MOVEit and other managed file transfer solutions. They’ve made a lot of money over the years. 3️⃣ Clop has been sending extortion emails to several victims since last Monday. However, please note they may not have attempted to reach out to all victims yet. 4️⃣ Multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle’s July 2025 update as well as one that was patched this weekend (CVE-2025-61882). 5️⃣ CVE-2025-61882 is a critical (9.8 CVSS) vulnerability that enables unauthenticated remote code execution. ⚠️ Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised. Thanks to the Oracle team for the collaboration. 🔗 Additional details from Oracle: https://lnkd.in/eFaF-hu3
LinkedInCharles Carmakal

Oracle's shared the following IOCs.

Google's Carmakal highlighted, “Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised.” 

See also: Didn't patch Oracle E-Business 80 days ago? You've got (ransom) mail

The link has been copied!