WARNING❗️Critical Zero-Day In Oracle E-Business Suite | Patch Immediately - LinkedIn

Oracle has released a high-urgency security alert for a newly discovered zero-day vulnerability in its E-Business Suite (EBS), tracked as CVE-2025-61882. This flaw enables unauthenticated, remote execution of arbitrary code, posing a severe risk to any exposed or unpatched installations. Oracle has classified it with a CVSS 3.1 base score of 9.8, placing it in the “critical” severity band. Below is a deeper look at how the vulnerability works, how attackers have used it, what patches are required, and how organizations should respond immediately. Nature of the Vulnerability & Attack Surface Affected Component & Exploitation Path Oracle’s advisory identifies the weakness in the Concurrent Processing component of EBS, specifically affecting the BI Publisher Integration subsystem. The vulnerability can be triggered via HTTP (and equivalently HTTPS), and importantly, does not require any authentication or user interaction. An unauthenticated attacker can exploit it remotely over the network. In the published risk matrix, the vulnerability is detailed as: Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Impact on Confidentiality/Integrity/Availability: High Affected Versions: Oracle E-Business Suite 12.2.3 through 12.2.14 Oracle explicitly warns that because HTTP is listed, its secure counterpart (HTTPS) is implicitly affected too. Public Exploitation & Attribution According to threat analysis, the vulnerability is already being used in real-world attacks — notably connected to a data theft / extortion campaign attributed to the Cl0p ransomware group. Early reports suggest that Cl0p leveraged this zero-day in conjunction with previously patched flaws from Oracle’s July 2025 CPU (Critical Patch Update). Security firms notes: Mandiant has confirmed that data exfiltration occurred in August 2025, and extortion emails referencing Oracle EBS followed in September. Oracle’s CSO, Rob Duhart, initially cited possible use of July 2025 CPU vulnerabilities, but later revised the public guidance to emphasize CVE-2025-61882. Some exploit artifacts published on Telegram and elsewhere align with signs of access to EBS systems. In addition, a public proof-of-concept (PoC) or detection template (e.g. Nuclei scanner pattern) has been published, increasing risk to unpatched systems. One security analysis (SANS ISC) examined a script named exp.py tied to the exploit. The script initiates a GET request to /OA_HTML/runforms.jsp, extracts internal host information (if redirected), then sends a POST to /OA_HTML/JavaScriptServlet to fetch a CSRF token, and finally triggers the exploit. This sequence suggests a multistage HTTP-based chain, leveraging built-in web endpoints of the EBS stack. Patch Guidance, Prerequisites & Support Policies Oracle Security Alert Advisory: Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay. Note that the October 2023 Critical Patch Update is a prerequisite for application of the updates in this Security Alert. Before an organization can install the fix for CVE-2025-61882, it must have installed the October 2023 Critical Patch Update (CPU) — this is a documented prerequisite. Oracle maintains that patches released via the Security Alert program are only available for EBS versions that are under Premier Support or Extended Support, per their Lifetime Support Policy. Un-supported versions are not tested and may remain vulnerable. Oracle strongly advises that customers plan upgrades to ensure future security alerts and patches will continue to apply to their current versions. Detailed patch files, documentation and installation instructions are provided in the Patch Availability Document associated with the advisory. Supported Versions & Scope Affected versions: 12.2.3 through 12.2.14 of Oracle EBS. Versions not under official support (i.e., beyond Extended Support) will not receive patches under this program. Because the flaw is severe, Oracle is treating it as a Security Alert (i.e. out-of-cycle) rather than waiting for the next scheduled CPU. Access Oracle Security Alert Advisory & Patch HERE Recommended by LinkedIn IAM in Danger: Why Red Hat's 'Important' Rating for… Fernando Tucci 5 months ago The Hidden Dangers of Outdated SNC Encryption in SAP… Carsten Olt 1 year ago How to develop a strong authentication system OMAR Ait benhaddi 2 years ago Indicators of Compromise (IOCs), Detection, and Mitigation Steps Published IOCs & Evidence Oracle’s advisory (and companion documents) publish a set of Indicators of Compromise (IOCs) to assist detection, hunting, and response. Some of the key IOCs include: Oracle also shares a text-based risk matrix (in “text form” version) and references to JSON/CSAF formats for automated integration. Access HERE Detection via Public Tools / Templates A public detection method (e.g. via GitHub) has been disclosed, which looks for instances of EBS that: Respond with the page content containing “E-Business Suite Home Page”, and Return an HTTP Last-Modified header earlier than October 4, 2025 (Unix timestamp 1759602752) Instances meeting both criteria are flagged as likely unpatched and vulnerable One researcher, “rxerium,” has released a Nuclei detection template codifying these rules. Such detection must be handled carefully — these are defensive checks only, not attack vectors. Misuse could violate policy or law. Mitigation & Immediate Response Steps Given the criticality, organizations should: Patch immediately — apply the October 2025 security alert patch, after ensuring the October 2023 CPU is installed. Check logs and systems for signs of the listed IOCs (IP traffic, exploit file hashes, shell commands) Conduct forensic review to determine if any EBS systems are already compromised Isolate impacted systems — if suspicion exists, offload them from business networks until clean or restored Harden exposure — ensure firewalls, WAFs, or network segmentation block unnecessary HTTP/HTTPS access to EBS endpoints, especially from untrusted external sources Enable monitoring / alerting on unusual outbound connections or shell-like invocations Upgrade to supported versions if currently running unsupported EBS versions — unpatched systems will remain at risk indefinitely Review broader attack chain — EBS may rely on underlying Oracle database, Fusion Middleware, or other components; ensure these dependencies are also patched (for example, via July 2025 CPU or other updates) Implement additional defense controls: MFA/SSO, logging aggregation, anomaly detection, segmentation between application layers, etc. Broader Context & Strategic Implications This incident is especially significant given the involvement of Cl0p — a threat group renowned for exploiting high-impact zero-days for data exfiltration and extortion (e.g. MOVEit, Accellion, SolarWinds, etc.). Several points stand out: Chaining vulnerabilities: Evidence suggests the attackers used both the new zero-day and flaws patched in Oracle’s July 2025 CPU to orchestrate attacks. Speed of exploitation: The exploit was used in the wild before many organizations could react; this shows how rapidly attackers move once vulnerability details leak. Importance of patch discipline: Even though some flaws were patched previously, delays or gaps in patching allow attackers to build composite paths. Support lifecycle risks: Organizations running out-of-support EBS versions are doubly exposed — vulnerability may exist but no patch will be supplied. Zero-day weaponization trend: The speed with which a PoC and detection template appeared highlights how quickly threat actors and researchers adapt new flaws into their toolkits. Conclusion This incident highlights a growing trend among sophisticated cybercriminal groups that exploit enterprise-grade business platforms to gain high-value access to financial and operational data. Oracle E-Business Suite, widely used for ERP, HR, and supply chain management, represents a critical business system for many Fortune 500 companies and government agencies. The discovery and exploitation of CVE-2025-61882 demonstrate how attackers are targeting enterprise software ecosystems that are often complex, slow to update, and deeply integrated into core business processes. It also underscores the operational risk of running outdated or unsupported versions that no longer receive security patches. The response to this zero-day serves as a reminder that timely patch management, continuous monitoring, and proactive security hygiene remain essential defenses against modern cyber threats. Organizations that rapidly apply patches and maintain strict vulnerability management procedures can drastically reduce the window of opportunity for attackers. 💡 The Universe Has Dark Matter. So Does Your IAM - Find Out How | Orchid Security Get Instant Access FREE - SSL Certificate Chain Lookup