Oracle patches E-Business suite targeted by Cl0p ransomware

Oracle has issued a fix for a critical remote code execution (RCE) vulnerability in its E-Business Suite (EBS), as the well-used enterprise resource planning (ERP) software package emerges as the latest vector for mass Cl0p (aka Clop) ransomware attacks.

The Oracle EBS ecosystem is deeply embedded in enterprise financial and operational systems, which offers hackers access to a wide range of high-value targets and potentially extreme impacts.

The flaw in question, CVE-20225-61882, is present in versions 1.2.2.3 through 12.2.14 of EBS, and affects a concurrent task processing component that enables users to run multiple processes simultaneously.

Rated 9.8 on the CVSS scale, it is considered relatively easy to take advantage of. Importantly, an unauthenticated attacker can exploit it over the network without any user interaction needed, leading to RCE.

The Oracle EBS ecosystem, often deeply embedded in financial and operational systems, offers high-value targets with far-reaching business impact.

“Oracle always recommends that customers remain on actively supported versions and apply all Security Alerts and Critical Patch Update security patches without delay,” the supplier said. “Note that the October 2023 Critical Patch Update is a prerequisite for application of the updates in this Security Alert.”

In its advisory notice, Oracle shared a number of indicators of compromise that appeared to link exploitation of CVE-2025-61882 to both the Cl0p ransomware crew and the Scattered Lapsus$ Hunters collective – which is not necessarily implausible as Scattered Spider has been known to act as a ransomware affiliate in the past.

Jake Knott, principal security researcher at watchTowr, said that exploitation of EBS appeared to date back to August 2025, and warned that as of Monday 6 October, exploit code for CVE-2025-61882 was publicly available.

“At first glance, it looked reasonably complex and required real effort to reproduce manually,” he said. “But now, with working exploit code leaked, that barrier to entry is gone. It’s likely that almost no one patched over the weekend. So we’re waking up to a critical vulnerability with public exploit code and unpatched systems everywhere.

“We fully expect to see mass, indiscriminate exploitation from multiple groups within days,” said Knott. “If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls, fast.”

Writing on LinkedIn, Charles Carmakal, chief technical officer and board advisor at Google Cloud’s Mandiant, confirmed this, saying that Cl0p had almost certainly exploited multiple other EBS vulnerabilities – including some that were patched a couple of months ago – as well. The gang has supposedly been contacting victims since early last week, but Carmakal added that it may have not made contact with all of them just yet.