Following reports the Cl0p ransomware group has been extorting Oracle E-Business Suite customers, Oracle released an advisory for a zero-day that was exploited in the wild.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a newly disclosed Oracle zero-day vulnerability that was exploited in the wild along with other recently patched vulnerabilities part of Oracle’s initial investigation.
FAQ
What is the Oracle zero-day vulnerability?
On October 4, Oracle published a Security Alert Advisory for a new zero-day vulnerability in E-Business Suite (EBS), Oracle’s integrated business application suite for various business functions including order management, logistics, procurement and more.
What is the CVE for this Oracle zero-day vulnerability?
| CVE | Description | Affected Component | CVSSv3 |
|---|---|---|---|
| CVE-2025-61882 | Oracle Concurrent Processing Remote Code Execution Vulnerability | Business Intelligence Publisher (BI Publisher) Integration | 9.8 |
Was CVE-2025-61882 exploited in the wild as a zero-day?
Yes. As part of its Security Alert Advisory, Oracle included multiple indicators of compromise (IOCs). Additionally, a blog post from Rob Duhart, Chief Security Officer at Oracle, was updated to highlight the discovery of this zero-day during its investigation into reports of these compromises.
What are these reports of Oracle EBS customers being compromised?
On October 2, there were reports that Oracle customers received emails from the ransomware group known as Cl0p claiming to have stolen information from their EBS systems. On October 3, Oracle confirmed the reports of attempted extortion, adding that their preliminary investigation revealed exploitation of EBS vulnerabilities patched in the July 2025 Oracle Critical Patch Update (CPU).
What were the EBS vulnerabilities that were patched in the July 2025 Oracle CPU?
There were nine vulnerabilities patched in the July 2025 Oracle CPU:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-30743 | Oracle Lease and Finance Management | 8.1 |
| CVE-2025-30744 | Oracle Mobile Field Service | 8.1 |
| CVE-2025-50105 | Oracle Universal Work Queue | 8.1 |
| CVE-2025-50071 | Oracle Applications Framework | 6.4 |
| CVE-2025-30746 | Oracle iStore | 6.1 |
| CVE-2025-30745 | Oracle MES for Process Manufacturing | 6.1 |
| CVE-2025-50107 | Oracle Universal Work Queue | 6.1 |
| CVE-2025-30739 | Oracle CRM Technical Foundation | 5.5 |
| CVE-2025-50090 | Oracle Applications Framework | 5.4 |
Did Oracle originally say that these vulnerabilities were potentially used in these attacks?
Yes, Oracle did highlight these flaws in a previous version of Duhart’s blog post:
Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates.
However, this reference has since been removed from the blog and replaced with a reference to CVE-2025-61882.
Does this removal mean the vulnerabilities from the July 2025 CPU were not used in these attacks?
The removal of the reference would imply the July 2025 CPU vulnerabilities were not utilized in these attacks. However, there are external reports that suggest that the Cl0p ransomware group exploited multiple vulnerabilities, including some from the July 2025 CPU release. This has not been officially confirmed by Oracle.
Who is the Cl0p ransomware group?
Cl0p (or “Clop”) is a notorious ransomware group that has been operating since February 2019. It began as a traditional ransomware group conducting double-extortion attacks, where it would encrypt and exfiltrate files, then extort victims with the threat of publishing them. The group later pivoted to campaigns focused purely on data exfiltration and extortion. Cl0p has a penchant for targeting and exploiting zero-day vulnerabilities in file transfer software including Accellion, MOVEit Transfer, GoAnywhere, and Cleo.
Is Cl0p identified by any other names?
Cl0p is often referred to or linked to TA505 and FIN11, groups that have deployed the Cl0p ransomware and conducted extortion attacks leveraging various zero-day vulnerabilities.
Is there a proof-of-concept (PoC) available for these vulnerabilities?
As of October 5, there were no public proof-of-concept (PoC) exploits for CVE-2025-61882 or the other nine CVEs patched in the July 2025 Oracle CPU release.
Are patches or mitigations available for CVE-2025-61882 and other associated vulnerabilities?
Yes, patches are available. The zero-day vulnerability, CVE-2025-61882, and the nine CVEs from the July 2025 CPU all affect the same versions of Oracle EBS:
| Affected Product | Affected Versions | Fixed Versions (CVE-2025-61882) | Fixed Versions(July 2025 CPU) |
|---|---|---|---|
| Oracle E-Business Suite | 12.2.3 through 12.2.14 | Patch Availability Document | Patch Availability Document |
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
Oracle Zero-Day:
Oracle EBS July 2025 CPU vulnerabilities:
These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
Join on Tenable Connect and engage with us in the for further discussions on the latest cyber threats.
Learn more about , the Exposure Management Platform for the modern attack surface.
*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Satnam Narang. Read the original post at: https://www.tenable.com/blog/cve-2025-61882-faq-oracle-e-business-suite-zero-day-cl0p-and-july-2025-cpu