A critical Oracle EBS zero-day flaw exploited in Clop data theft attacks has now been patched. The vulnerability allowed hackers to execute code remotely and steal sensitive data from major organizations. Oracle confirmed that the Clop ransomware group exploited the flaw before a fix was available.
The Oracle EBS Zero-Day Explained
The vulnerability, tracked as CVE-2025-61882, affected Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14.
It was found in the BI Publisher Integration within the Concurrent Processing component. The flaw scored 9.8 on the CVSS scale due to its ease of exploitation and potential for complete system compromise.
The Oracle EBS zero-day allowed unauthenticated attackers to execute arbitrary commands on targeted servers. This gave them full control over business data, configurations, and connected systems.
Before the patch, a public proof-of-concept exploit was circulating online. This increased the urgency of Oracle’s response as more attacks began surfacing globally.
Clop’s Attack Campaign
The Clop ransomware group used the zero-day to breach corporate systems and steal massive amounts of data.
According to Oracle, attackers leveraged the vulnerability through a remote entry point, injecting malicious commands via the BI Publisher interface.
The campaign began in August 2025, when Clop started threatening victims with data leaks unless ransoms were paid. Some companies confirmed stolen archives containing sensitive financial information.
Security researchers discovered related activity tied to IP addresses 200.107.207.26 and 185.181.60.11. Attackers also deployed reverse shell commands for persistence and lateral movement.
Oracle’s Response and Patch
Oracle released an emergency patch for the Oracle EBS zero-day on October 4, 2025.
However, the company warned that users must first apply the October 2023 Critical Patch Update before installing the fix.
The new patch closes the remote code execution flaw and adds stronger input validation to prevent similar exploits.
Oracle also shared indicators of compromise (IOCs), including suspicious file names, exploit scripts, and IPs associated with Clop operations. Organizations are advised to scan their environments for these artifacts.
Mitigation Steps
- Patch immediately. Apply the October 2025 fix for CVE-2025-61882 after the 2023 update.
- Monitor logs. Check for unusual connections from known Clop IP addresses.
- Restrict external access. Temporarily limit internet exposure for EBS instances during patching.
- Scan for persistence. Look for unauthorized jobs or reverse shell commands.
- Back up data. Maintain offline backups to protect against ransomware-related data loss.
Conclusion
The Oracle EBS zero-day highlights how quickly threat actors exploit enterprise software flaws.
Clop’s campaign shows that even mission-critical business systems can become prime targets for data theft.
Organizations must act fast — patch their EBS environments, audit configurations, and monitor for post-exploit activity.
Swift response is the only way to stop the ripple effects of large-scale cyber intrusions like this one.
0 responses to “Oracle EBS zero-day exploited in Clop data theft attacks patched”