CLOP
Zero Day
Critical Oracle E-Business Suite flaws CVE-2025-61882 and CVE-2025-61884 were ex...
The enterprise software landscape is facing a significant security crisis following the discovery of two critical vulnerabilities in **Oracle E-Business Suite (EBS)**. The situation escalated when a vulnerability patched in early October, **CVE-2025-61882**, was exploited as a zero-day by threat actors linked to the **CL0P extortion group**, leading to a widespread data theft and extortion campaign affecting dozens of organizations .
Oracle has since issued another emergency alert for a separate, high-severity flaw, **CVE-2025-61884**, warning that it could allow unauthenticated attackers to access sensitive data.
This one-two punch has placed organizations relying on the popular enterprise resource planning platform at severe risk, underscoring the critical need for immediate patching and robust security measures.
## CVE-2025-61882 and CVE-2025-61884
### Technical Specifications at a Glance
The following table breaks down the key characteristics of the two recently disclosed Oracle E-Business Suite vulnerabilities:
| **Characteristic** | **CVE-2025-61882** | **CVE-2025-61884** |
| :--- | :--- | :--- |
| **CVSS v3.1 Score** | 9.8 (Critical) | 7.5 (High) |
| **Attack Vector** | Network | Network |
| **Authentication Required** | No | No |
| **Primary Impact** | Remote Code Execution | Unauthorized Data Access |
| **Affected Component** | Oracle Concurrent Processing (BI Publisher Integration) | Oracle Configurator (Runtime UI) |
| **Affected Versions** | 12.2.3 through 12.2.14 | 12.2.3 through 12.2.14 |
### Technical Mechanism of Attack
The critical vulnerability **CVE-2025-61882** has been the primary vector for the ongoing extortion campaign. Analysis from CrowdStrike and Google Threat Intelligence Group (GTIG) reveals a sophisticated, multi-stage exploit chain.
The attack begins with an **authentication bypass**, initiated by a malicious `POST` request to the `/OA_HTML/SyncServlet` endpoint.
Once access is gained, the threat actors abuse Oracle's **XML Publisher Template Manager** to achieve code execution. They upload a malicious XSL template into the EBS database, where it is stored in the `XDO_TEMPLATES_B` table . The template's name consistently begins with the prefix `TMP` or `DEF`. The final stage involves triggering the execution of this payload by calling the Template Preview functionality, which executes the embedded commands.
This technique allows the attackers to deploy web shells and other malware, establishing persistence and enabling data exfiltration.
## Extortion Campaign: Tactics, Techniques, and Procedures (TTPs)
### CL0P's Mass Exploitation Playbook
GTIG and Mandiant have attributed this campaign to a threat actor claiming affiliation with the **CL0P extortion brand**, a group notorious for mass exploitation of zero-day vulnerabilities in managed file transfer systems. The campaign follows a now-familiar playbook: exploit a zero-day, steal victim data, and initiate extortion attempts weeks later.
The first known exploitation of CVE-2025-61882 [occurred](https://www.oracle.com/security-alerts/alert-cve-2025-61882.html) as early as **August 9, 2025**, with suspicious activity dating back to July 10, 2025—weeks before a patch was available.
The extortion phase began on **September 29, 2025**, when the actor launched a high-volume email campaign to executives at numerous organizations. These emails, sent from hundreds of compromised third-party accounts to bypass spam filters, alleged the theft of sensitive data from the victims' Oracle EBS environments and provided limited file listings as proof.
The emails directed victims to contact `[email protected]` and `[email protected]`, addresses associated with the CL0P data leak site.
### A Sophisticated Malware Arsenal
To maintain control within compromised environments, the threat actors deployed a chain of Java-based implants. These malware families are designed for in-memory execution to avoid detection on disk. Observed payloads include:
* **GOLDVEIN.JAVA**: A downloader used to retrieve additional malicious components .
* **SAGEGIFT, SAGELEAF, and SAGEWAVE**: A suite of tools that blend dynamic filters and template-based payload delivery through the database, facilitating stealthy operations and data exfiltration.
## A Defender's Guide
### Immediate Patching is Non-Negotiable
Oracle has strongly recommended that customers apply the emergency updates for both CVE-2025-61882 and CVE-2025-61884 as soon as possible. [Link to CVE-2025-61884] (https://nvd.nist.gov/vuln/detail/CVE-2025-61884). It is crucial to note that for CVE-2025-61882, the **October 2023 Critical Patch Update is a prerequisite** for applying the new security patch.
Organizations should urgently review their patch levels and proceed with updates. Patches are provided for product versions covered under Premier or Extended Support phases.
### Proactive Threat Hunting and Hardening
Given that exploitation may have begun months before patches were released, organizations must proactively hunt for signs of compromise. Security researchers and Oracle recommend the following actions:
* **Scan for Malicious Templates**: Query the `xdo_templates_vl` database table for templates with names starting with `TMP` or `DEF` followed by 16 random hex characters .
* **Monitor for IOCs**: Hunt for network connections to known malicious IPs provided by Oracle, including `200[.]107[.]207[.]26` and `185[.]181[.]60[.]11` . Also, monitor for commands associated with the exploit, such as reverse shell commands .
* **Inspect Session Logs**: Investigate suspicious sessions in the `icx_sessions` table, particularly for `UserID 0` (sysadmin) and `UserID 6` (guest) .
* **Reduce Attack Surface**: As a temporary measure, consider disabling direct internet access to exposed Oracle EBS services and ensure instances are secured behind a web application firewall (WAF) .
## Escalating Threat to Enterprise Software
This incident is part of a dangerous trend where sophisticated threat actors systematically target business-critical software. The CL0P group has repeatedly used this model with great success, having previously exploited zero-days in Accellion FTA, GoAnywhere MFT, and MOVEit Transfer. Shifting this playbook to a core enterprise platform like Oracle E-Business Suite, which manages finances, supply chains, and customer relationships for countless organizations, represents an escalation in both ambition and potential impact.
The public leaking of a proof-of-concept exploit for [CVE-2025-61882](https://nvd.nist.gov/vuln/detail/CVE-2025-61882) on a Telegram channel on October 3, 2025, has further heightened the threat landscape. This disclosure lowers the barrier to entry for other threat actors, making it likely that attacks will evolve from targeted exploitation to broader, opportunistic campaigns in the near future.
