Critical Oracle E-Business Suite flaws CVE-2025-61882 and CVE-2025-61884 were exploited by CL0P hackers in mass extortion attacks.

Continue reading
The enterprise software landscape is facing a significant security crisis following the discovery of two critical vulnerabilities in Oracle E-Business Suite (EBS). The situation escalated when a vulnerability patched in early October, CVE-2025-61882, was exploited as a zero-day by threat actors linked to the CL0P extortion group, leading to a widespread data theft and extortion campaign affecting dozens of organizations .
Oracle has since issued another emergency alert for a separate, high-severity flaw, CVE-2025-61884, warning that it could allow unauthenticated attackers to access sensitive data.
This one-two punch has placed organizations relying on the popular enterprise resource planning platform at severe risk, underscoring the critical need for immediate patching and robust security measures.
The following table breaks down the key characteristics of the two recently disclosed Oracle E-Business Suite vulnerabilities:
| Characteristic | CVE-2025-61882 | CVE-2025-61884 |
|---|---|---|
| CVSS v3.1 Score | 9.8 (Critical) | 7.5 (High) |
| Attack Vector | Network | Network |
| Authentication Required | No | No |
| Primary Impact | Remote Code Execution | Unauthorized Data Access |
| Affected Component | Oracle Concurrent Processing (BI Publisher Integration) | Oracle Configurator (Runtime UI) |
The critical vulnerability CVE-2025-61882 has been the primary vector for the ongoing extortion campaign. Analysis from CrowdStrike and Google Threat Intelligence Group (GTIG) reveals a sophisticated, multi-stage exploit chain.
The attack begins with an authentication bypass, initiated by a malicious `POST` request to the `/OA_HTML/SyncServlet` endpoint.
Once access is gained, the threat actors abuse Oracle's XML Publisher Template Manager to achieve code execution. They upload a malicious XSL template into the EBS database, where it is stored in the `XDO_TEMPLATES_B` table . The template's name consistently begins with the prefix `TMP` or `DEF`. The final stage involves triggering the execution of this payload by calling the Template Preview functionality, which executes the embedded commands.
This technique allows the attackers to deploy web shells and other malware, establishing persistence and enabling data exfiltration.
GTIG and Mandiant have attributed this campaign to a threat actor claiming affiliation with the CL0P extortion brand, a group notorious for mass exploitation of zero-day vulnerabilities in managed file transfer systems. The campaign follows a now-familiar playbook: exploit a zero-day, steal victim data, and initiate extortion attempts weeks later.
The first known exploitation of CVE-2025-61882 occurred as early as August 9, 2025, with suspicious activity dating back to July 10, 2025—weeks before a patch was available.
The extortion phase began on September 29, 2025, when the actor launched a high-volume email campaign to executives at numerous organizations. These emails, sent from hundreds of compromised third-party accounts to bypass spam filters, alleged the theft of sensitive data from the victims' Oracle EBS environments and provided limited file listings as proof.
The emails directed victims to contact `[email protected]` and `[email protected]`, addresses associated with the CL0P data leak site.
To maintain control within compromised environments, the threat actors deployed a chain of Java-based implants. These malware families are designed for in-memory execution to avoid detection on disk. Observed payloads include:
Oracle has strongly recommended that customers apply the emergency updates for both CVE-2025-61882 and CVE-2025-61884 as soon as possible. [Link to CVE-2025-61884] (https://nvd.nist.gov/vuln/detail/CVE-2025-61884). It is crucial to note that for CVE-2025-61882, the October 2023 Critical Patch Update is a prerequisite for applying the new security patch.
Organizations should urgently review their patch levels and proceed with updates. Patches are provided for product versions covered under Premier or Extended Support phases.
Given that exploitation may have begun months before patches were released, organizations must proactively hunt for signs of compromise. Security researchers and Oracle recommend the following actions:
This incident is part of a dangerous trend where sophisticated threat actors systematically target business-critical software. The CL0P group has repeatedly used this model with great success, having previously exploited zero-days in Accellion FTA, GoAnywhere MFT, and MOVEit Transfer. Shifting this playbook to a core enterprise platform like Oracle E-Business Suite, which manages finances, supply chains, and customer relationships for countless organizations, represents an escalation in both ambition and potential impact.
The public leaking of a proof-of-concept exploit for CVE-2025-61882 on a Telegram channel on October 3, 2025, has further heightened the threat landscape. This disclosure lowers the barrier to entry for other threat actors, making it likely that attacks will evolve from targeted exploitation to broader, opportunistic campaigns in the near future.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.
| Affected Versions | 12.2.3 through 12.2.14 | 12.2.3 through 12.2.14 |