Exploitation Wave Campaign ×2 Security Patch Release ×2 Vulnerability

Oracle E-Business Suite CVE-2025-61882 exploitation, extortion, and breach fallout

Updated 23.12.2025 18:00

Case score 71

Case score 71 Members 6 Latest activity 23.12.2025 18:00 Active exploitation Public PoC/exploit reported KEV: CISA KEV Patch available

Active exploitation Public PoC/exploit reported KEV: CISA KEV Patch available

Members 6 First seen 06.10.2025 04:37 Last seen 21.10.2025 22:15 Updated 23.12.2025 18:00

Overview

**Oracle E-Business Suite** exposure around **CVE-2025-61882** has developed from zero-day disclosure into a broader exploitation and extortion story with confirmed breach fallout at universities. Available material ties active abuse to **Clop / Graceful Spider / FIN11**, with intrusions likely starting by **August 9, 2025**, executive extortion emails appearing from **September 29**, and separate reporting on a second exploited flaw, **CVE-2025-61884**. **University of Phoenix** disclosed a breach affecting **3,489,274 individuals**, while **Harvard University** said related activity appears limited to a small administrative unit. Oracle has issued emergency updates for both flaws, and **CISA** set KEV deadlines of **October 27, 2025** for **CVE-2025-61882** and **November 10, 2025** for **CVE-2025-61884**.

Key facts

**CVE-2025-61882** is a critical **Oracle E-Business Suite** flaw that enabled unauthenticated remote code execution in affected **12.2.3-12.2.14** environments and was actively exploited.
Intrusion activity likely began by **August 9, 2025**, and extortion emails reached executives from **September 29** using **[email protected]** and **[email protected]**.
Confirmed fallout includes a **University of Phoenix** breach affecting **3,489,274 individuals** and a **Harvard University** investigation that the school said appears limited to a small administrative unit.
Reported exploit paths include **/OA_HTML/SyncServlet**, **Oracle's XML Publisher Template Manager**, and **/configurator/UiServlet**, with **CVE-2025-61884** bringing a second actively exploited Oracle EBS issue into scope.
Oracle released emergency updates for **CVE-2025-61882** and **CVE-2025-61884**, and patched systems are described as likely no longer vulnerable to known exploitation chains.
**CISA** added both flaws to the **Known Exploited Vulnerabilities** catalog, with deadlines of **October 27, 2025** for **CVE-2025-61882** and **November 10, 2025** for **CVE-2025-61884**.

A critical **Oracle E-Business Suite** zero-day, **CVE-2025-61882**, enabled unauthenticated remote code execution in affected **12.2.3-12.2.14** environments and became the main access path in ongoing data-theft and extortion activity. Available reporting places the intrusion activity as early as **August 9, 2025**, with significant data exfiltration occurring before patches were available and extortion emails reaching executives from **September 29** using **[email protected]** and **[email protected]**. The campaign has been linked in available material to **Clop / Graceful Spider / FIN11**, and disclosure activity later expanded into concrete victim fallout including a **University of Phoenix** breach affecting **3,489,274 individuals** and a **Harvard University** investigation that the school said appears limited to a small administrative unit. Technical reporting describes abuse of **/OA_HTML/SyncServlet** and **Oracle's XML Publisher Template Manager** to upload and execute a malicious **XSLT** template, while separate July and August activity hit **/configurator/UiServlet** and helped bring **CVE-2025-61884** into scope as a second actively exploited Oracle EBS issue. That second flaw is an unauthenticated **SSRF** weakness in the **Oracle Configurator runtime** component, showing that defenders needed to review more than one endpoint and more than one exploitation chain across exposed EBS instances. Available evidence supports a sustained Oracle EBS intrusion-and-extortion sequence, but it does not establish the full victim count or prove that every reported intrusion used the same path. Oracle released an emergency update for **CVE-2025-61882** on **October 4** and later issued an emergency out-of-band fix for **CVE-2025-61884**. Guidance tied to the first update indicates systems that received the fix are likely no longer vulnerable to known exploitation chains, but organizations with historical internet exposure still need compromise review because data theft and extortion were already underway before patching. **CISA** added both flaws to the **Known Exploited Vulnerabilities** catalog, setting remediation deadlines of **October 27, 2025** for **CVE-2025-61882** and **November 10, 2025** for **CVE-2025-61884**.

Malware context

6 families · 5 tools

Tools

ShinyHunters Clop DLS GOLDTOMB backdoor GOLDVEIN.JAVA Telegram

Signals

10 derived

Exploitation

CVSS Exploitation Active exploitation Exploit Public PoC/exploit reported

Affected impact

Affected 3,489,274 individuals

CVEs/products

CVE CVE

Victims/regions

Sector media

Remediation

KEV CISA KEV Remediation Patch available

Threat context

Member happenings

6 related

Exploitation Wave Oracle E-Business Suite Cl0p multi-vulnerability exploitation wave

Updated 07.10.2025 08:12 Lead Contribution 65

Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

**Oracle E-Business Suite (EBS)** exploitation tied to **Clop / FIN11** has been ongoing since at least **August 9, 2025**, with **CVE-2025-61882** used for **unauthenticated remote code execution** and **data theft**. **Google Threat Intelligence Group (GTIG)** and **Mandiant** said the campaign likely exfiltrated a **significant amount** of data, and that extortion emails sent since **September 29** referenced contact addresses **[email protected]** and **[email protected]**. **Oracle** released an emergency patch on **October 4** for affected **12.2.3-12.2.14** versions, and GTIG said patched servers are likely no longer vulnerable to known exploitation chains.

View happening

Campaign Clop Oracle E-Business Suite extortion campaign

Updated 06.10.2025 04:37 Scoring Support Contribution 1

Campaign Active Objective Financial Extortion

**Clop**'s **Oracle E-Business Suite** extortion campaign has now been tied to **LKQ**, which was named by the group on its leak site as one of the first victims. The broader campaign is linked to **CVE-2025-61882** and has targeted **more than 100 organizations** across multiple sectors since it surfaced in **early October 2025**. In a separate disclosure, the **University of Phoenix** said attackers accessed its systems during **August 13-22, 2025** through its **Oracle E-Business Suite (EBS)** financial application. The university said the breach affected **3,489,274 individuals**, including **9131 Maine residents**, and involved sensitive personal and financial information.

View happening

Campaign Oracle E-Business Suite dual-endpoint exploit campaigns

Updated 21.10.2025 22:15 Scoring Support Contribution 1

Campaign Attributed Objective Financial Extortion

Two **Oracle E-Business Suite** exploit campaigns hit separate endpoints in **July and August 2025**, expanding the risk to exposed enterprise instances. The activity matters because the attackers used **different attack paths**, showing sustained targeting rather than a one-off flaw. One phase mapped to **CVE-2025-61884** and the other to **CVE-2025-61882**, with the latter attributed to the **Clop ransomware gang**.

View happening

Vulnerability Oracle E-Business Suite actively exploited unauthenticated RCE (CVE-2025-61882)

Updated 06.10.2025 04:37 Scoring Support

Exploitation Active Exploitation Exploit Public Exploit Data Type Physical Addresses CVSS 9.8 Critical +1

**CVE-2025-61882** is a **critical zero-day** in **Oracle E-Business Suite** that enabled **unauthenticated remote code execution** and was **actively exploited** in **Clop** data theft activity. The flaw affects **Oracle Concurrent Processing / BI Publisher Integration** and poses immediate risk to exposed systems. **Oracle** issued an **emergency update**, and the exploit material tied to the abuse also circulated publicly. **Google Threat Intelligence Group (GTIG)** and **Mandiant** assessed that the campaign likely began targeting **Oracle EBS** as early as **August 9, 2025**, with **significant data exfiltration** and extortion emails observed from **September 29**. The latest report adds that the **University of Phoenix** disclosed a breach affecting **3,489,274 individuals** after unauthorized access to its **Oracle E-Business Suite (EBS)** financial application during **August 13-22, 2025**. The institution said the stolen information included **names and contact information**, **dates of birth**, **Social Security numbers**, and **bank account and routing numbers**. Investigators found the intrusion was not detected until **November 21**, and the university filed notice in **early December** and offered **identity protection services** to affected individuals. The attack is believed to be part of the broader **Clop** campaign exploiting **CVE-2025-61882** across **more than 100 organizations**.

View happening

Security Patch Release Oracle E-Business Suite CVE-2025-61884 emergency security update

Updated 13.10.2025 17:42 Context

Exploitation No Known Exploitation Urgency High CVSS 7.5 High Patch Patch Available

**Oracle E-Business Suite** **CVE-2025-61884** is an **unauthenticated SSRF** flaw in the **Oracle Configurator runtime** that **CISA** says is being **actively exploited**. Oracle disclosed the issue on **October 11**, rated it **CVSS 7.5**, and told federal agencies to patch by **November 10, 2025**. Reporting ties the abuse to **July attacks** and a leaked exploit associated with **ShinyHunters** and the **Scattered Lapsus$** extortion group, while separating it from the distinct **CVE-2025-61882** activity against **/OA_HTML/SyncServlet** attributed to **Clop**.

View happening

Security Patch Release Oracle security patch release for CVE-2025-61882

Updated 06.10.2025 08:15 Context

Exploitation Active Exploitation Urgency Immediate CVSS 9.8 Critical Patch Patch Available

**Oracle** released an **emergency update** for **Oracle E-Business Suite** to fix **CVE-2025-61882**, a **critical** flaw with **active exploitation** risk tied to **Cl0p data theft attacks**. The bug can be reached over **HTTP without authentication** and may enable **remote code execution** in the **Oracle Concurrent Processing** component. Oracle also said it issued additional fixes after uncovering more potential exploitation during its investigation.

View happening