Oracle has issued an urgent security update to address a new vulnerability, CVE-2025-61884, in its E-Business Suite (EBS). The flaw, which affects versions 12.2.3 through 12.2.14 of the EBS Runtime UI component, has a CVSS Base Score of 7.5. The vulnerability is remotely exploitable without authentication, meaning attackers could gain access to sensitive resources over a network without needing a username or password. This prompted Oracle to release an immediate patch and strongly recommend that all customers apply the update as soon as possible. It is not currently known whether this vulnerability has been exploited in the wild.
This new alert follows a separate, recently patched vulnerability in Oracle EBS, CVE-2025-61882. That flaw, which had a critical CVSS score of 9.8, was exploited by a group suspected to be Cl0p ransomware affiliates in a large-scale extortion campaign. In early October, researchers from Google Mandiant and Google Threat Intelligence Group (GTIG) began tracking this activity, where threat actors were attempting to extort company executives with claims that they had stolen Oracle EBS data.
According to cybersecurity firm Halycon, the attackers likely gained access by hacking user emails and then exploiting Oracle E-Business Suite’s default password reset function to steal valid credentials. While an email in the extortion notes was tied to a Cl0p affiliate, Google was unable to confirm the attackers’ claims. However, Mandiant’s CTO Charles Carmakal stated that attackers were using hundreds of hacked accounts in a mass extortion campaign, with at least one account linked to the financially motivated hacker group FIN11.
Researchers at CrowdStrike also attributed the exploitation of the CVE-2025-61882 vulnerability to the Cl0p group, also known as Graceful Spider. The flaw, which affects Oracle E-Business Suite 12.2.3 through 12.2.14, allows unauthenticated remote attackers to take control of the Oracle Concurrent Processing component. CrowdStrike warned that the public disclosure of a proof-of-concept (POC) on October 3 and Oracle’s subsequent patch would likely motivate other threat actors to develop their own weaponized exploits and target exposed EBS instances.
Google’s analysis showed that attackers used a malicious template within vulnerable Oracle EBS databases to store a payload that would be activated in the final stage of the attack chain. While the Cl0p group began emailing organizations about the data theft on September 29, researchers found that exploitation of CVE-2025-61882 had already been happening since August 9, with signs of even earlier activity on July 10, just before Oracle’s July security patches. This suggests that the attackers may have been attempting to exploit the flaw for some time.
Reference:
