Oracle EBS flaw exploited in active ransomware campaigns

On October 6, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog. The Canadian Centre for Cyber Security also issued a threat advisory on the flaw.

Following our recent blog from October 2 on the extortion campaign targeting Oracle E-Business Suite (EBS) users, researchers have reported a significant escalation in the targeting of the software.

The activity intensified after Oracle released an out-of-band patch on October 4, 2025, disclosing CVE-2025-61882. The flaw affects EBS versions 12.2.3 through 12.2.14, and carries a CVSS score of 9.8. It allows unauthenticated remote code execution by exploiting what appears to be a chain of a number of distinct issues.

Evidence suggests that exploitation began as early as August 9, 2025, and has since evolved into multiple active campaigns. Some researchers attribute the activity to the Cl0p ransomware group, while others have observed signs of collaboration or code-sharing with groups such as Scattered Spider, LAPSUS$, and ShinyHunters.

Researchers also reported the availability of proof-of-concept (PoC) code, which significantly lowers the barrier for exploitation.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Oracle E-Business Suite is a widely deployed enterprise resource planning (ERP) platform used across finance, supply chain, and HR functions. Its exposure to the internet and integration with critical business processes make it a high-value target.

Organizations running Oracle EBS are advised to:

• Apply the latest patch immediately
• Isolate internet-facing EBS instances or protect them with strict access controls
• Hunt for indicators of compromise, including:
  • Reverse shell activity
  • Unauthorized access to /OA_HTML/SyncServlet and related endpoints
  • Outbound connections over port 443 from EBS servers
• Review logs for suspicious HTTP requests and unusual template preview activity

Given the active exploitation and extortion attempts, rapid response and containment are critical.