It’s the bad news that many customers of Oracle E-Business Suite (EBS) have been dreading: reports of ransomware attacks targeting the software have turned out to be connected to a serious zero-day vulnerability that requires immediate patching.
The first indications that something might be awry emerged last week from Halcyon, Google’s Threat Intelligence Group (GTIG), and Mandiant, which issued alerts that one of the world’s most active extortion groups, Cl0p, was probably behind recent email demands sent to Oracle customers running internet-facing EBS ERP portals.
Although there was some initial uncertainty about the scope, severity, and attribution of the attacks, these reports revealed worrying details, including unusually large ransom demands of up to $50 million backed by proof of compromise such as screenshots and file trees.
“We are the Cl0p team. If you haven’t heard about us, you can Google about us on the Internet,” began one of the ransom notes, re-published by a news site.
The note went on to make the usual demand for payment, backed by threats to expose stolen data if ransom was not paid.
The worry was how the attackers were compromising victims. During 2025, Oracle has patched several important EBS security issues, including CVE-2025-30727 affecting the iSurvey Module, and CVE-2025-21541 affecting Admin Screens and Grants UI, neither known to have been exploited.
The flaw exploited as part of the latest attack remains in question. A blog last week by Oracle’s CSO, Rob Duhart, indicated that multiple vulnerabilities from the July 2025 Oracle Critical Patch Update (CPU) might be involved. However, this was later updated to remove that reference.
A post by Charles Carmakal of Mandiant still refers to multiple vulnerabilities, but the focus has now shifted to a new remote code execution (RCE) flaw, CVE-2025-61882, as the main culprit. The fact that Oracle issued an emergency patch for it during the weekend seems to confirm this.
Initial access by Cl0p dates to August, which means that attackers have had plenty of time to steal large amounts of data. Extortion emails were sent to victims from September 29 onwards, but might not yet have reached all victims, Carmakal cautioned.
“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” he said.
Red alert: Patch now
Rated a ‘critical’ 9.8 on CVSS, CVE-2025-61882 is a vulnerability in the EBS BI Publisher Integration component of Oracle E-Business Suite affecting versions 12.2.3 to 12.2.14, which is remotely exploitable without authentication.
Customers should apply the latest patch after first applying the critical patch update from October 2023 if they hadn’t already done so. Any versions of the software updated before October 4 should be considered at risk.
“Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the company warned.
Oracle also published a list of indicators of compromise (IoCs), including IP addresses, observed commands, and malware signatures, to aid in detection.
“It’s likely that almost no one patched over the weekend. We’re waking up to a critical vulnerability with public exploit code and unpatched systems everywhere,” said Jake Knott, principal security researcher at continuous security testing company, watchTowr.
“We fully expect to see mass, indiscriminate exploitation from multiple groups within days. If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls – fast.”
According to Zbyněk Sopuch, CTO of data security vendor, Safetica, enterprises should also note the evolving cyber criminal behavior signaled by recent ransomware attacks.
“The targeted systems-of-choice for thieves include ERP, finance, HR, and the typical points of entry are via admin credentials and third-party connectors, such as VPNs, middleware, and API service accounts, which tend to have open access privileges,” said Sopuch.
He recommended that companies isolate critical applications as much as possible, while making protections such as multi-factor authentication (MFA) standard for admin logins and integration or API access points.
“Conversely, give service and integration accounts minimum access or simple access-appropriate-to-role permissions, and routinely rotate keys,” he said.
Zero-day vulnerabilities seem to be particularly favored by Cl0p, with the 2023 attack against the MOVEit file transfer customers exploiting CVE-2023-34362 a high-profile example. Other attacks with the same approach included those against Accellion in 2020, and SolarWinds in 2021.
The lesson is that organizations can detect incursions only if they are continuously monitoring all risk points in the attack surface, such as external access points and logins, said Sopuch.
No Responses