Skip to content

CrowdStrike Warns of Cl0p Group Exploiting Oracle EBS Critical Vulnerability

Cl0p group and other threat actors are exploiting a critical Oracle EBS vulnerability. Apply the emergency patch now to protect your data.

In this picture, we see the missiles. At the bottom, we see the boards in white color. In the left...
In this picture, we see the missiles. At the bottom, we see the boards in white color. In the left bottom, we see a poster in red and grey color is pasted on the board. We see some text printed on the poster. At the top, it looks like the roof and it is in white color.

CrowdStrike Warns of Cl0p Group Exploiting Oracle EBS Critical Vulnerability

Cybersecurity firm CrowdStrike has revealed that threat actors, including the notorious Cl0p group, have been exploiting a critical vulnerability in Oracle E-Business Suite (EBS) to carry out unauthenticated remote code execution (RCE) attacks. The vulnerability, identified as CVE-2025-61882, has been linked to several data theft incidents, prompting Oracle to release an emergency patch.

CrowdStrike observed attackers using the /OA_HTML/SyncServlet endpoint to bypass authentication and target the XML Publisher Template Manager. The first known attacks exploiting this flaw occurred on August 9, 2025. The Cl0p group claimed to have stolen Oracle EBS data on September 29, 2025, confirming their involvement in the attacks.

The vulnerability affects Oracle EBS versions 12.2.3 to 12.2.14 and is easily exploitable via HTTP. Successful exploitation allows unauthenticated remote attackers to control the Oracle Concurrent Processing component, leading to outbound TLS connections to attacker infrastructure for command execution and persistence. Oracle released an emergency patch on October 4, 2025, to address this critical issue.

In addition to the Cl0p group, another threat actor collective known as 'SCATTERED LAPSUS$' or 'Shiny Hunters' publicly released an exploit for CVE-2025-61882 in early October 2025 via Telegram, indicating their possible involvement in the exploitation of this vulnerability.

CrowdStrike warns of increased threat actor activity due to the public disclosure of proof-of-concept (POC) exploits and the release of the emergency patch for CVE-2025-61882. Oracle EBS users are urged to apply the emergency patch immediately to mitigate the risk of unauthenticated RCE attacks. Organizations are advised to remain vigilant and monitor their systems for any signs of compromise.

Read also:

Latest