Find notable cyber news and cases, enriched with sources, timelines, and signals.

Oracle E-Business Suite dual-endpoint exploit campaigns

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

Two Oracle E-Business Suite exploit campaigns hit separate endpoints in July and August 2025, expanding the risk to exposed enterprise instances. The activity matters because the attackers used different attack paths, showing sustained targeting rather than a one-off flaw. One phase mapped to CVE-2025-61884 and the other to CVE-2025-61882, with the latter attributed to the Clop ransomware gang.

Cases

Related Happenings

Oracle PeopleSoft PeopleTools zero-day RCE (CVE-2026-35273)

Vulnerability
H score58 First: 11.06.2026 22:39 Last: 11.06.2026 22:39 Sources 1

About this happening: **Oracle PeopleSoft PeopleTools CVE-2026-35273** is a critical **zero-day RCE** affecting **PeopleSoft Enterprise PeopleTools 8.61 and 8.62**. Oracle released **emergency mitigati...

Latest development: 29.06.2026 23:40

Nissan says it suffered a data breach affecting current and former employees after attackers exploited an Oracle PeopleSoft zero-day associated with CVE-2026-35273. Oracle informed Nissan that personnel records of hundreds of companies may have been obtained and that Nissan was specifically targeted, with potentially exposed data including contact details, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary data for employees in the United States, Canada, Mexico, and Brazil.

Oracle WebLogic Server unauthenticated remote compromise flaw (CVE-2024-21182)

Vulnerability
H score59 First: 02.06.2026 15:40 Last: 02.06.2026 15:40 Sources 1

About this happening: **CVE-2024-21182** in **Oracle WebLogic Server** is **actively exploited** and can let a **network-access attacker** achieve **unauthenticated remote compromise**. The flaw affect...

HPE OneView RondoDox exploitation wave (CVE-2025-37164)

Exploitation Wave
H score59 First: 16.01.2026 11:15 Last: 16.01.2026 11:15 Sources 1

About this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...

HPE OneView actively exploited remote code execution flaw (CVE-2025-37164)

Vulnerability
H score83 First: 08.01.2026 09:45 Last: 08.01.2026 09:45 Sources 1

About this happening: **CVE-2025-37164** in **HPE OneView** is being **actively exploited**, with **Check Point Research** reporting a **Linux-based RondoDox botnet** campaign that escalated in **Janua...

Oracle Identity Manager actively exploited missing authentication RCE (CVE-2025-61757)

Vulnerability
H score46 First: 22.11.2025 08:45 Last: 22.11.2025 08:45 Sources 1

About this happening: **CISA** added **CVE-2025-61757** to **KEV** after evidence of **active exploitation**, putting **Oracle Identity Manager** users at immediate risk of **pre-authenticated remote c...

Timeline

  1. 21.10.2025 22:15 1 articles · 8mo ago

    ShinyHunters leaks Oracle exploit on Telegram

    Technical Analysis Update

    ShinyHunters leaks an Oracle exploit on Telegram, and the code is tied to the UiServlet SSRF attack chain against Oracle E-Business Suite and the Oracle Configurator runtime component; the leak is described as being used by Clop.

    Show sources
  2. 21.10.2025 22:15 1 articles · 8mo ago

    Oracle discloses CVE-2025-61882 and publishes leaked IOC

    Detection Ioc Update

    Oracle discloses CVE-2025-61882, lists the leaked proof-of-concept as an IOC, and says the separate /OA_HTML/SyncServlet exploit path was fixed with mod_security rules and by stubbing out the SYNCSERVLET class.

    Show sources
  3. 21.10.2025 22:15 1 articles · 8mo ago

    Oracle discloses CVE-2025-61884 in Oracle Configurator runtime

    Initial Disclosure

    Oracle discloses CVE-2025-61884 as an unauthenticated server-side request forgery (SSRF) flaw in the Oracle Configurator runtime component, gives it a 7.5 severity rating, warns it could enable unauthorized access to critical data or complete access to all Oracle Configurator accessible data, and says the patch validates attacker-supplied return_url values with a regular expression.

    Show sources
  4. 21.10.2025 22:15 1 articles · 8mo ago

    CISA adds CVE-2025-61884 to KEV and orders patching

    Legal Policy Action Update

    CISA confirms active exploitation of CVE-2025-61884 in Oracle E-Business Suite, adds the flaw to the Known Exploited Vulnerabilities catalog, and requires U.S. federal agencies to patch by November 10, 2025; the activity is tied to the July campaign and a leaked exploit from ShinyHunters and the Scattered Lapsus$ extortion group.

    Show sources
  5. 21.10.2025 22:15 1 articles · 8mo ago

    CrowdStrike and Mandiant separate two Oracle E-Business Suite campaigns

    Campaign Scope Update

    CrowdStrike and Mandiant say Oracle E-Business Suite was targeted in two distinct campaigns: a July campaign that used an SSRF exploit against the "/configurator/UiServlet" endpoint now confirmed as CVE-2025-61884, and an August campaign that used a different exploit against the "/OA_HTML/SyncServlet" endpoint and was fixed under CVE-2025-61882, which is attributed to Clop.

    Show sources