Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Oracle E-Business Suite dual-endpoint exploit campaigns

Campaign
First reported
Last updated
Happening score
H score 59
1 unique sources, 1 articles

Summary

Hide ▲

Two Oracle E-Business Suite exploit campaigns hit separate endpoints in July and August 2025, expanding the risk to exposed enterprise instances. The activity matters because the attackers used different attack paths, showing sustained targeting rather than a one-off flaw. One phase mapped to CVE-2025-61884 and the other to CVE-2025-61882, with the latter attributed to the Clop ransomware gang.

Cases

Oracle E-Business Suite CVE-2025-61882 exploitation, extortion, and breach fallout (6) Oracle E-Business Suite CVE-2025-61882 exploitation, extortion, and breach fallout (6)

Related Happenings

HPE OneView RondoDox exploitation wave (CVE-2025-37164)

Exploitation Wave
First: 16.01.2026 11:15 Last: 16.01.2026 11:15 Sources 1

About this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...

Open Happening

HPE OneView actively exploited remote code execution flaw (CVE-2025-37164)

Vulnerability
First: 08.01.2026 09:45 Last: 08.01.2026 09:45 Sources 1

About this happening: **CVE-2025-37164** in **HPE OneView** is being **actively exploited**, with **Check Point Research** reporting a **Linux-based RondoDox botnet** campaign that escalated in **Janua...

Open Happening

Oracle Identity Manager actively exploited missing authentication RCE (CVE-2025-61757)

Vulnerability
First: 22.11.2025 08:45 Last: 22.11.2025 08:45 Sources 1

About this happening: **CISA** added **CVE-2025-61757** to **KEV** after evidence of **active exploitation**, putting **Oracle Identity Manager** users at immediate risk of **pre-authenticated remote c...

Open Happening

Oracle EBS zero-day exploitation wave (dozens of victims)

Exploitation Wave
First: 12.11.2025 17:30 Last: 12.11.2025 17:30 Sources 1

About this happening: A **multi-victim Oracle E-Business Suite (EBS) exploitation wave** is affecting **dozens of victims**, with the total possibly exceeding **100**. The activity is tied to **zero-da...

Open Happening

CISA adds five KEV flaws and sets FCEB remediation deadline

Public Sector Action
First: 20.10.2025 22:00 Last: 20.10.2025 22:00 Sources 1

How related: The US cybersecurity agency is now requiring federal agencies to patch the security vulnerability by November 10, 2025.

About this happening: **CISA** added **CVE-2025-61884** in **Oracle E-Business Suite** to its **Known Exploited Vulnerabilities (KEV) Catalog** after confirming it is being **actively exploited**. The...

Open Happening

Timeline

  1. 21.10.2025 22:15 1 articles · 7mo ago

    ShinyHunters leaks Oracle exploit on Telegram

    Technical Analysis Update

    ShinyHunters leaks an Oracle exploit on Telegram, and the code is tied to the UiServlet SSRF attack chain against Oracle E-Business Suite and the Oracle Configurator runtime component; the leak is described as being used by Clop.

    Show sources
    Open in new tab
  2. 21.10.2025 22:15 1 articles · 7mo ago

    Oracle discloses CVE-2025-61882 and publishes leaked IOC

    Detection Ioc Update

    Oracle discloses CVE-2025-61882, lists the leaked proof-of-concept as an IOC, and says the separate /OA_HTML/SyncServlet exploit path was fixed with mod_security rules and by stubbing out the SYNCSERVLET class.

    Show sources
    Open in new tab
  3. 21.10.2025 22:15 1 articles · 7mo ago

    Oracle discloses CVE-2025-61884 in Oracle Configurator runtime

    Initial Disclosure

    Oracle discloses CVE-2025-61884 as an unauthenticated server-side request forgery (SSRF) flaw in the Oracle Configurator runtime component, gives it a 7.5 severity rating, warns it could enable unauthorized access to critical data or complete access to all Oracle Configurator accessible data, and says the patch validates attacker-supplied return_url values with a regular expression.

    Show sources
    Open in new tab
  4. 21.10.2025 22:15 1 articles · 7mo ago

    CISA adds CVE-2025-61884 to KEV and orders patching

    Legal Policy Action Update

    CISA confirms active exploitation of CVE-2025-61884 in Oracle E-Business Suite, adds the flaw to the Known Exploited Vulnerabilities catalog, and requires U.S. federal agencies to patch by November 10, 2025; the activity is tied to the July campaign and a leaked exploit from ShinyHunters and the Scattered Lapsus$ extortion group.

    Show sources
    Open in new tab
  5. 21.10.2025 22:15 1 articles · 7mo ago

    CrowdStrike and Mandiant separate two Oracle E-Business Suite campaigns

    Campaign Scope Update

    CrowdStrike and Mandiant say Oracle E-Business Suite was targeted in two distinct campaigns: a July campaign that used an SSRF exploit against the "/configurator/UiServlet" endpoint now confirmed as CVE-2025-61884, and an August campaign that used a different exploit against the "/OA_HTML/SyncServlet" endpoint and was fixed under CVE-2025-61882, which is attributed to Clop.

    Show sources
    Open in new tab