- Knowledge base
- Security updates
-
Security updates
-
Product news
-
Next-Gen Vulnerability Management
-
Getting started
-
General
-
Operating status
-
System & Network Security
-
Web Application Security
-
Cloud Security
-
API Security
-
Phishing Simulation & Awareness Training
-
Attack Surface Management
-
Scanner Appliance
-
Device Agent
-
On-premise platform deployment
-
Asset management
-
Vulnerability Manager
-
Reports
-
Digest reports
-
Organizer
-
Continuous monitoring
-
Integrations
-
Platform API
-
Remediation
-
Users
-
PCI DSS ASV scans
-
Partner Portal
-
Terms & conditions
-
Dashboard
Oracle zero-day in its E-Business Suite (EBS) exploited by Clop Group
Oracle has confirmed active exploitation of a critical zero-day vulnerability in its E-Business Suite (EBS), rated 9.8 on the CVSS v3 scale.
How the vulnerability works
Identified as CVE-2025-61882, the flaw affects the Business Intelligence Publisher (BI Publisher) integration within Oracle’s Concurrent Processing component. It allows remote attackers to execute arbitrary code on affected systems without authentication, giving full control over the compromised server.
Why this is so dangerous
The discovery follows a series of extortion attempts by the Clop ransomware group, which contacted Oracle EBS customers claiming to have stolen sensitive business data. Oracle’s internal investigation linked these compromises to exploitation of the CVE-2025-61882 zero-day, prompting the company to issue an emergency security alert on October 4.
While Oracle has focused on CVE-2025-61882, reports suggest that attackers may have also leveraged vulnerabilities previously addressed in the July 2025 Critical Patch Update, including CVE-2025-30743, CVE-2025-30744, and CVE-2025-50105, all rated between 5.4 and 8.1 in severity. These flaws span multiple EBS modules, from Lease and Finance Management to the Universal Work Queue.
The Clop Group, also known as TA505 or FIN11, has been active since 2019 and is notorious for large-scale data theft and extortion campaigns. The group has previously exploited zero-day vulnerabilities in major file transfer platforms such as MOVEit Transfer and GoAnywhere. Their latest campaign underscores a continued focus on targeting enterprise software with unpatched or newly discovered vulnerabilities.
Mitigation and next steps
Public proof-of-concept exploits for this vulnerability surfaced on October 6, further increasing the urgency for organizations to patch. The issue affects EBS versions 12.2.3 through 12.2.14, with fixes now available. Oracle notes that the October 2023 Critical Patch Update must be applied before installing the new patches.
Holm Security's response
Holm Security has released the following plugins to scan for these vulnerabilities:
- HID-2-1-5377263
Oracle E-Business Suite Remote Code Execution Vulnerability (CVE-2025-61882)
- HID-2-1-5375133
Oracle E-Business Suite 12.2.3 through 12.2.14 July 2025 Security Update (cpujul2025)
- HID-2-1-5378557
Oracle E-Business Suite 12.2.11 - 12.2.13 July 2025 Security Update (cpujul2025)
- HID-2-1-5378555
Oracle E-Business Suite 12.2.13 July 2025 Security Update (cpujul2025)
- HID-2-1-5378553
Oracle E-Business Suite 12.2.3 - 12.2.13 July 2025 Security Update (cpujan2025)
- HID-2-1-5378554
Oracle E-Business Suite 12.2.12 - 12.2.13 July 2025 Security Update (cpujul2025)
- HID-2-1-5378556
Oracle E-Business Suite 12.2.5 - 12.2.14 July 2025 Security Update (cpujul2025)
Scan for specific vulnerabilities
Read how you can include or exclude a specific vulnerability in a scan profile here.