Oracle issued an **emergency security update** to patch a critical **information disclosure vulnerability (CVE-2025-61884, CVSS 7.5)** in its **E-Business Suite (EBS) Runtime UI component (versions 12.2.3–12.2.14)**. The flaw allows **unauthenticated remote attackers** to exploit it over a network **without credentials**, granting access to **sensitive corporate resources**, including financial, employee, or customer data. The vulnerability was part of a broader **extortion campaign** linked to the **Cl0p ransomware group (FIN11)**, which exploited a separate zero-day (CVE-2025-61882, CVSS 9.8) to **steal data** and send **extortion emails** to executives. While Oracle did not confirm active exploitation of CVE-2025-61884, the **urgent patch** suggests high risk. Attackers leveraged **hacked email accounts** and **default password resets** to gain credentials, potentially exposing **confidential business data**, **intellectual property**, or **operational secrets**. The incident highlights risks of **supply-chain attacks** and **data breaches** in enterprise software, with possible **financial fraud, reputational damage, or regulatory penalties** if exploited.
TPRM report: https://www.rankiteo.com/company/oracle
"id": "ora0832608101425",
"linkid": "oracle",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Multiple (Exact Number '
'Unspecified)',
'industry': 'Technology',
'location': 'Global (HQ: Redwood City, California, '
'USA)',
'name': 'Oracle Corporation',
'size': 'Large Enterprise',
'type': 'Software Vendor'},
{'location': 'Global',
'name': 'Unspecified Organizations Using Oracle '
'E-Business Suite',
'type': ['Enterprises',
'Government Agencies',
'Potential High-Value Targets']}],
'attack_vector': ['Network',
'HTTP',
'Exploitation of Public-Facing Application'],
'customer_advisories': ['Apply Emergency Patches for CVE-2025-61884 and '
'CVE-2025-61882',
'Monitor for Suspicious Activity'],
'data_breach': {'data_exfiltration': 'Claimed in Extortion Emails '
'(Unverified)',
'sensitivity_of_data': 'High (Potential Access to '
'Confidential Business Data)',
'type_of_data_compromised': ['Sensitive Resources',
'Potentially Oracle EBS Data (as '
'per Extortion Claims)']},
'date_detected': '2025-07-10',
'date_publicly_disclosed': '2025-10-14',
'description': 'Oracle issued emergency security updates to address critical '
'vulnerabilities (CVE-2025-61884 and CVE-2025-61882) in its '
'E-Business Suite (EBS). The flaws, exploitable remotely '
'without authentication, were linked to extortion campaigns by '
'the Cl0p ransomware group (FIN11). Attackers exploited these '
'vulnerabilities to steal sensitive data, send extortion '
'emails to executives, and potentially gain control of Oracle '
'Concurrent Processing components. Oracle urged immediate '
'patching to mitigate risks, while Google Mandiant and '
'CrowdStrike attributed the attacks to Cl0p with moderate '
'confidence. A proof-of-concept (POC) exploit was disclosed on '
'October 3, 2025, increasing the likelihood of further '
'exploitation by threat actors.',
'impact': {'brand_reputation_impact': ['Potential Reputation Damage Due to '
'Data Theft Claims and Extortion '
'Campaigns'],
'data_compromised': ['Sensitive Resources',
'Potential Oracle E-Business Suite Data (as '
'claimed in extortion emails)'],
'identity_theft_risk': ['High (Due to Potential Exposure of '
'Sensitive Data)'],
'operational_impact': ['Potential Disruption Due to Unauthorized '
'Access',
'Emergency Patching Requirements'],
'systems_affected': ['Oracle E-Business Suite (Versions '
'12.2.3–12.2.14)',
'Runtime UI Component',
'BI Publisher Integration',
'Concurrent Processing Component']},
'initial_access_broker': {'entry_point': ['Exploitation of Oracle EBS '
'Vulnerabilities (CVE-2025-61882, '
'CVE-2025-61884)',
'Hacked User Emails',
'Default Password Reset Mechanisms'],
'high_value_targets': ['Company Executives '
'(Extortion Emails)',
'Oracle EBS Databases'],
'reconnaissance_period': 'Potentially Began on '
'2025-07-10 (Prior to July '
'Patches)'},
'investigation_status': 'Ongoing (Google, Mandiant, and CrowdStrike '
'Investigating Extent of Exploitation)',
'lessons_learned': ['Critical Importance of Timely Patching for Public-Facing '
'Applications',
'Risks of Zero-Day Exploitation in Enterprise Software',
'Need for Enhanced Monitoring of Oracle EBS Instances',
'Potential for Mass Extortion Campaigns Leveraging Stolen '
'Credentials'],
'motivation': ['Financial Gain', 'Data Theft', 'Extortion'],
'post_incident_analysis': {'corrective_actions': ['Oracle Released '
'Out-of-Band Patches',
'Customers Advised to Apply '
'Patches and Monitor '
'Systems',
'Enhanced Threat '
'Intelligence Sharing '
'(e.g., POC Disclosure as '
'IOC)'],
'root_causes': ['Unpatched Vulnerabilities in '
'Oracle E-Business Suite',
'Lack of Authentication for Remote '
'Exploitation',
'Potential Weaknesses in Default '
'Password Reset Mechanisms',
'Delayed Patch Deployment by Some '
'Customers']},
'ransomware': {'data_exfiltration': 'Claimed (Unverified)',
'ransom_demanded': 'Extortion Emails Sent (Amount Unspecified)',
'ransomware_strain': 'Cl0p'},
'recommendations': ['Apply Oracle Security Alerts and Critical Patch Updates '
'Immediately',
'Monitor for Signs of Exploitation (e.g., Unusual '
'Database Activity, Extortion Emails)',
'Implement Multi-Factor Authentication (MFA) for Oracle '
'EBS',
'Review and Secure Default Password Reset Mechanisms',
'Segment Networks to Limit Lateral Movement',
'Engage Third-Party Threat Intelligence for Indicators of '
'Compromise (IOCs)'],
'references': [{'date_accessed': '2025-10-14',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.co/wordpress/150000/hacking/oracle-ebs-flaw-cve-2025-61884.html'},
{'date_accessed': '2025-10-14',
'source': 'Oracle Security Alert Advisory'},
{'date_accessed': '2025-10-03',
'source': 'Google Threat Intelligence & Mandiant Analysis'},
{'date_accessed': '2025-10-03',
'source': 'CrowdStrike Report on CVE-2025-61882 '
'Exploitation'}],
'response': {'communication_strategy': ['Public Security Advisories',
'Direct Customer Notifications'],
'containment_measures': ['Emergency Patching (CVE-2025-61884 & '
'CVE-2025-61882)',
'Urgent Advisory for Customers to Apply '
'Updates'],
'enhanced_monitoring': 'Recommended (Oracle Advised Customers to '
'Monitor for Exploitation Attempts)',
'incident_response_plan_activated': 'Yes (Oracle Released '
'Emergency Security Alerts '
'and Patches)',
'remediation_measures': ['Patch Deployment',
'Mitigation Guidance for Unpatched '
'Systems'],
'third_party_assistance': ['Google Threat Intelligence',
'Mandiant',
'CrowdStrike']},
'stakeholder_advisories': ['Oracle Customers Urged to Patch Immediately',
'Executives Warned About Extortion Emails'],
'threat_actor': ['Cl0p Ransomware Group (Graceful Spider)',
'FIN11',
'Potential involvement of Scattered Spider, Slippy Spider '
'(Lapsus$), ShinyHunters'],
'title': 'Oracle E-Business Suite Vulnerabilities (CVE-2025-61884 & '
'CVE-2025-61882) Exploited in Extortion Campaigns',
'type': ['Vulnerability Exploitation',
'Data Theft',
'Extortion Campaign',
'Unauthorized Access'],
'vulnerability_exploited': ['CVE-2025-61884 (CVSS 7.5 - Information '
'Disclosure in Runtime UI)',
'CVE-2025-61882 (CVSS 9.8 - Remote Code Execution '
'in BI Publisher Integration/Concurrent '
'Processing)']}