Oracle E-Business Suite CVE-2025-61882 exploitation, extortion, and breach fallout

**Oracle E-Business Suite (EBS)** exploitation tied to **Clop / FIN11** has been ongoing since at least **August 9, 2025**, with **CVE-2025-61882** used for **unauthenticated remote code execution** and **data theft**. **Google Threat Intelligence Group (GTIG)** and **Mandiant** said the campaign likely exfiltrated a **significant amount** of data, and that extortion emails sent since **September 29** referenced contact addresses **[email protected]** and **[email protected]**. **Oracle** released an emergency patch on **October 4** for affected **12.2.3-12.2.14** versions, and GTIG said patched servers are likely no longer vulnerable to known exploitation chains.

**Clop**'s **Oracle E-Business Suite** extortion campaign has now been tied to **LKQ**, which was named by the group on its leak site as one of the first victims. The broader campaign is linked to **CVE-2025-61882** and has targeted **more than 100 organizations** across multiple sectors since it surfaced in **early October 2025**. In a separate disclosure, the **University of Phoenix** said attackers accessed its systems during **August 13-22, 2025** through its **Oracle E-Business Suite (EBS)** financial application. The university said the breach affected **3,489,274 individuals**, including **9131 Maine residents**, and involved sensitive personal and financial information.

Two **Oracle E-Business Suite** exploit campaigns hit separate endpoints in **July and August 2025**, expanding the risk to exposed enterprise instances. The activity matters because the attackers used **different attack paths**, showing sustained targeting rather than a one-off flaw. One phase mapped to **CVE-2025-61884** and the other to **CVE-2025-61882**, with the latter attributed to the **Clop ransomware gang**.

**CVE-2025-61882** is a **critical zero-day** in **Oracle E-Business Suite** that enabled **unauthenticated remote code execution** and was **actively exploited** in **Clop** data theft activity. The flaw affects **Oracle Concurrent Processing / BI Publisher Integration** and poses immediate risk to exposed systems. **Oracle** issued an **emergency update**, and the exploit material tied to the abuse also circulated publicly. **Google Threat Intelligence Group (GTIG)** and **Mandiant** assessed that the campaign likely began targeting **Oracle EBS** as early as **August 9, 2025**, with **significant data exfiltration** and extortion emails observed from **September 29**. The latest report adds that the **University of Phoenix** disclosed a breach affecting **3,489,274 individuals** after unauthorized access to its **Oracle E-Business Suite (EBS)** financial application during **August 13-22, 2025**. The institution said the stolen information included **names and contact information**, **dates of birth**, **Social Security numbers**, and **bank account and routing numbers**. Investigators found the intrusion was not detected until **November 21**, and the university filed notice in **early December** and offered **identity protection services** to affected individuals. The attack is believed to be part of the broader **Clop** campaign exploiting **CVE-2025-61882** across **more than 100 organizations**.

**Oracle E-Business Suite** **CVE-2025-61884** is an **unauthenticated SSRF** flaw in the **Oracle Configurator runtime** that **CISA** says is being **actively exploited**. Oracle disclosed the issue on **October 11**, rated it **CVSS 7.5**, and told federal agencies to patch by **November 10, 2025**. Reporting ties the abuse to **July attacks** and a leaked exploit associated with **ShinyHunters** and the **Scattered Lapsus$** extortion group, while separating it from the distinct **CVE-2025-61882** activity against **/OA_HTML/SyncServlet** attributed to **Clop**.

**Oracle** released an **emergency update** for **Oracle E-Business Suite** to fix **CVE-2025-61882**, a **critical** flaw with **active exploitation** risk tied to **Cl0p data theft attacks**. The bug can be reached over **HTTP without authentication** and may enable **remote code execution** in the **Oracle Concurrent Processing** component. Oracle also said it issued additional fixes after uncovering more potential exploitation during its investigation.