On October 6, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog. The Canadian Centre for Cyber Security also issued a threat advisory on the flaw.
Following our recent blog from October 2 on the extortion campaign targeting Oracle E-Business Suite (EBS) users, researchers have reported a significant escalation in the targeting of the software.
The activity intensified after Oracle released an out-of-band patch on October 4, 2025, disclosing CVE-2025-61882. The flaw affects EBS versions 12.2.3 through 12.2.14, and carries a CVSS score of 9.8. It allows unauthenticated remote code execution by exploiting what appears to be a chain of a number of distinct issues.
Evidence suggests that exploitation began as early as August 9, 2025, and has since evolved into multiple active campaigns. Some researchers attribute the activity to the Cl0p ransomware group, while others have observed signs of collaboration or code-sharing with groups such as Scattered Spider, LAPSUS$, and ShinyHunters.
Researchers also reported the availability of proof-of-concept (PoC) code, which significantly lowers the barrier for exploitation.
Oracle E-Business Suite is a widely deployed enterprise resource planning (ERP) platform used across finance, supply chain, and HR functions. Its exposure to the internet and integration with critical business processes make it a high-value target.
Organizations running Oracle EBS are advised to:
Given the active exploitation and extortion attempts, rapid response and containment are critical.