Clop Exploits Critical Oracle Zero-Day; CISA Issues Emergency Patch Directive

Clop Ransomware Group Actively Exploiting Critical Oracle E-Business Suite Zero-Day (CVE-2025-61882)

CRITICAL
October 7, 2025
October 9, 2025
5m read
VulnerabilityThreat ActorRansomware

Related Entities(initial)

Threat Actors

Clop

Organizations

Cybersecurity and Infrastructure Security Agency (CISA)Federal Bureau of Investigation (FBI)MandiantNational Cyber Security Centre (NCSC)Oracle

Products & Tech

Oracle E-Business Suite

Other

Google Cloud

CVE Identifiers

CVE-2025-61882
CRITICAL
CVSS:9.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1020Exfiltration

Automated Exfiltration

T1190Initial Access

Exploit Public-Facing Application

T1486Impact

Data Encrypted for Impact

T1657Impact

Financial Extortion

Full Report(when first published)

Executive Summary

On October 6, 2025, Oracle and several international cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.K.'s National Cyber Security Centre (NCSC), and Singapore's cybersecurity authority, released urgent advisories regarding a critical zero-day vulnerability in Oracle E-Business Suite (EBS). The flaw, tracked as CVE-2025-61882, holds a CVSS score of 9.8 and is under active exploitation by the Clop ransomware group. The threat actors are leveraging this vulnerability for data exfiltration and subsequent extortion. CISA has added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog, requiring immediate patching by federal agencies. The vulnerability allows for unauthenticated remote code execution, posing a severe threat to organizations utilizing the affected Oracle software, particularly in finance, HR, and supply chain management.

Vulnerability Details

The vulnerability, CVE-2025-61882, is a critical remote code execution (RCE) flaw within the BI Publisher Integration component of Oracle Concurrent Processing in the Oracle E-Business Suite. Its CVSS score of 9.8 reflects its severity, as it can be exploited by an unauthenticated attacker over a network without requiring any user credentials. This allows for a complete takeover of the affected system.

Technical Description

The flaw resides in how the BI Publisher component handles certain requests, allowing an attacker to execute arbitrary code. The attack vector is remote and requires no user interaction, making it highly wormable and easy to exploit at scale. Public exploit code was reportedly made available on October 6, 2025, drastically increasing the pool of potential attackers and the urgency for mitigation.

Threat Overview

The Clop ransomware group, a well-known cybercriminal organization with a history of exploiting zero-day vulnerabilities in enterprise software, has been identified by Mandiant as the primary threat actor exploiting this flaw. Their campaign is believed to have started as early as August 2025.

Attack Chain

  1. Initial Access: The threat actors scan the internet for vulnerable Oracle E-Business Suite instances.
  2. Exploitation: Attackers exploit CVE-2025-61882 to gain initial access and execute code on the target server. (T1190 - Exploit Public-Facing Application)
  3. Data Exfiltration: Once inside, Clop exfiltrates large volumes of sensitive corporate data. (T1020 - Automated Exfiltration)
  4. Extortion: Starting in October 2025, the group began contacting executives at the compromised organizations, threatening to leak the stolen data unless a ransom is paid. This is a classic double-extortion tactic. (T1657 - Financial Extortion)

Impact Assessment

The business impact of this vulnerability is severe. Oracle E-Business Suite is a cornerstone for many large enterprises, managing critical functions like finance, human resources, and supply chain logistics. A compromise can lead to:

  • Data Breach: Theft of highly sensitive financial records, employee PII, and proprietary supply chain information.
  • Operational Disruption: The need to take critical systems offline for investigation and remediation can halt core business operations.
  • Financial Loss: Costs associated with incident response, potential ransom payments, regulatory fines (e.g., GDPR, CCPA), and reputational damage.
  • Reputational Damage: Loss of customer and partner trust, especially for publicly traded companies.

Given that the exploitation campaign began two months before the vulnerability was publicly disclosed, organizations must assume compromise and conduct thorough forensic investigations, not just apply patches.

Cyber Observables for Detection

Security teams should proactively hunt for signs of compromise. Since the vulnerability is in the BI Publisher component, web server logs are a primary source for detection.

Type Value Description
url_pattern */OA_HTML/BIPublisherIntegration* Monitor for unusual requests to the BI Publisher Integration endpoint in web access logs.
process_name java or oc4j Look for anomalous child processes spawned by the Oracle application server process.
network_traffic_pattern Outbound connections from EBS servers Monitor for large or unusual outbound data transfers from EBS servers to unknown IP addresses or cloud storage providers.
log_source Oracle EBS Access Logs Analyze access logs for requests to the BI Publisher endpoint from untrusted or external IP addresses.

Detection & Response

Organizations should immediately implement detection mechanisms to identify exploitation attempts and signs of an existing compromise.

Detection Strategies

  1. Log Analysis: Scrutinize web server and application logs for the Oracle E-Business Suite, specifically looking for anomalous requests to the BI Publisher URL path. Use D3FEND's Network Traffic Analysis to identify suspicious connections.
  2. EDR Monitoring: Deploy and monitor Endpoint Detection and Response (EDR) agents on EBS servers. Look for suspicious command-line activity or child processes spawned by the main Oracle application process, which could indicate post-exploitation activity. This aligns with D3FEND's Process Analysis.
  3. Threat Hunting: Proactively hunt for evidence of data staging. Search for large compressed files (.zip, .rar, .7z) in unusual directories on EBS servers, which Clop often uses before exfiltration.

Response Actions

  • Isolate: If a compromise is suspected, immediately isolate the affected EBS systems from the network to prevent lateral movement.
  • Investigate: Conduct a forensic analysis of the affected systems, reviewing logs and system snapshots to determine the extent of the breach and what data was exfiltrated.
  • Report: Report the incident to relevant authorities, such as the FBI and CISA.

Mitigation

Immediate patching is critical, but a defense-in-depth approach is necessary.

Immediate Actions

  1. Patch: Apply the security patches released by Oracle for CVE-2025-61882 immediately. This is the most critical step. This falls under D3FEND's Software Update technique.
  2. Restrict Access: If patching is not immediately possible, restrict network access to the Oracle E-Business Suite. Limit access to only trusted internal IP addresses and use a Web Application Firewall (WAF) to filter malicious requests. This is a form of D3FEND Inbound Traffic Filtering.

Strategic Recommendations

  • Assume Compromise: Since exploitation began in August, organizations must investigate for signs of a breach even after patching.
  • Network Segmentation: Implement robust network segmentation to prevent threat actors from moving laterally from a compromised EBS server to other parts of the corporate network. This aligns with D3FEND's Network Isolation.
  • Incident Response Plan: Ensure your incident response plan is up-to-date and includes specific playbooks for responding to attacks on critical enterprise applications like Oracle EBS.

Timeline of Events

1
August 1, 2025
The Clop ransomware group begins exploiting CVE-2025-61882 to steal data from victims.
2
October 6, 2025
Oracle and international cybersecurity agencies (CISA, NCSC) issue urgent warnings about the vulnerability.
3
October 6, 2025
CISA adds CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog.
4
October 7, 2025
This article was published
5
October 28, 2025
Deadline for U.S. federal civilian agencies to apply patches for CVE-2025-61882.

Article Updates

October 8, 2025

Severity increased

New details on Cl0p's Oracle EBS zero-day exploitation, including affected versions and potential adoption by other threat actors.

New information confirms that Oracle E-Business Suite versions 12.2.3 through 12.2.14 are specifically affected by CVE-2025-61882. The public availability of exploit code on platforms like Telegram increases the likelihood that other threat actors, such as Scattered Spider and ShinyHunters, will adopt this TTP. Additionally, the update highlights the potential for ransomware deployment as a direct consequence of successful exploitation, leading to widespread operational disruption. New detection observables include monitoring for cmd.exe, powershell.exe, or sh processes spawned by Oracle services, providing more specific guidance for security teams.

Update Sources:
thaicert.or.thOracle Confirms Cl0p Ransomware Group Exploited Zero-Day (CVE-2025-61882) to Attack E-Business Suite Customers
sans.orgOracle E-Business Suite: Patch Zero-Day Actively Exploited by Cl0p; Okta and Zscaler Report on Salesloft Drift Breaches
youtube.comDaily Cyber News – October 7th, 2025

October 9, 2025

New technical details emerge on Clop's Oracle EBS zero-day, including SSRF escalation, specific affected versions, and patch prerequisites.

Further analysis of the CVE-2025-61882 Oracle EBS zero-day reveals it is reportedly an SSRF issue escalating to RCE, affecting versions 12.2.3 through 12.2.14. The Clop group is also combining this zero-day with other previously patched vulnerabilities to maximize access. Oracle released an emergency patch on October 4, 2025, with the October 2023 Critical Patch Update as a prerequisite. New MITRE ATT&CK techniques identified include T1595.002 (Vulnerability Scanning), T1212 (Exploitation for Credential Access), T1041 (Exfiltration Over C2 Channel), and T1486 (Data Encrypted for Impact). A new observable /xmlpserver/ has also been identified for the BI Publisher component.

Update Sources:
bankinfosecurity.comOracle Zero-Day and More Being Exploited by Ransomware Group
strobes.coCVE-2025-61882 Explained: The Oracle Zero-Day Breach That Hit Enterprises Hard

Sources & References(when first published)

FBI, UK gov't urge orgs to patch Oracle E-Business vuln after alleged Clop campaign
therecord.mediaOctober 6, 2025
Extortion campaign targeting Oracle E-Business Suite customers linked to zero-day
cyberscoop.comOctober 6, 2025
Active exploitation of vulnerability affecting Oracle E-Business Suite
ncsc.gov.ukOctober 6, 2025
CISA Adds Seven Known Exploited Vulnerabilities to Catalog
cisa.govOctober 6, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CISAClopKEVOracleRCERansomwareZero-Day

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next