Oracle E‑Business Suite Zero-Day Found To Be Actively Exploited by Ransomware Gang

A high-severity vulnerability in Oracle E‑Business Suite has received security patching along with a warning that it has already been exploited in the wild by ransomware threat groups.

CVE-2025-61882 has been given a score of 9.8 out of 10 for its severity, given that it allows an unauthenticated attacker to perform remote code execution. The prolific Clop ransomware group has been observed making use of it as part of its notorious “quadruple extortion” data theft attacks.

Patch issued after data theft group deployed zero-day

Oracle E‑Business Suite versions 12.2.3 through 12.2.14 are impacted by the vulnerability and require manual patching to secure. A proof-of-concept has been published and demonstrates that the attackers can exploit the flaw remotely without a username and password.

Threat actors reportedly compromised Oracle E-Business Suite itself and demanded a ransom for information they exfiltrated. News of the vulnerability and exploitation reportedly first broke from threat actor chatter on Telegram, though not from the Clop group themselves. Instead, rival group Scattered Lapsus$ Hunters appeared to leak information associating Clop with stolen Oracle source code from the incident.

While Clop has publicly attached their name to the attempted shakedown of Oracle, the leak revealed the specific vulnerability and exploit they used to get in. A spokesperson for Shiny Hunters, one of the groups involved with the Scattered Lapsus$ Hunters team, told media sources that they leaked the information because they developed the zero-day and it was subsequently stolen from them by an unknown party that then sold or provided it to Clop.

Clop group has long history of being first to deploy zero-days

Regardless of how they might obtain them, Clop has become notorious for using zero-days in its various high profile attacks and it has likely been a key to their long-term stability in a world where “big name” cyber crime groups now rarely last longer than two years.

The group has been observed using zero-days since at least 2020, when it breached the Accellion FTA platform by deploying several of them. It has also deployed them in attacking the SolarWinds Serv-U FTP software in 2021, and both the GoAnywhere MFT platform and  MOVEit in 2023.

The group has been in action since at least 2019 and has cumulatively racked up hundreds of millions of dollars in extortion money as a result of its campaigns. As of late it has shifted to pure data extortion rather than deploying ransomware, but will still use it at times in a “quadruple extortion” model that also involves threatening victims with DDoS attacks and harassing clients and other parties impacted by the data theft. The group heavily targets organizations in the USA, Canada and Europe, and often runs operations on holiday weekends when they are aware  security will likely be more lax. It also runs its own dedicated leak site to pressure victims, and operates on a ransomware as a service (RaaS) model in partnership with other cyber criminals.