Oracle Patches E-Business Suite Zero-Day Amid Clop Extortion Attacks

Oracle has patched a critical zero-day remote code execution flaw in its E-Business Suite, which was being exploited by the Clop gang in a rash of data theft and extortion attacks.

The flaw (CVE-2025-61882) is remotely exploitable without authentication (meaning it can be exploited over a network without the need for a username or password), and impacts Oracle E-Business Suite versions 12.2.3 through 12.2.14. The flaw impacts the BI Publishing Integration component of Oracle Concurrent Publishing, which is a feature of the suite allowing users to publish reports and documents in various formats.

“Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” according to Oracle in an emergency update for the flaw, which was released on Oct. 4. "Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay.”

The flaw is one of several exploited by Clop in Oracle E-Business Suite, Oracle’s platform for integrated business applications, for anything from customer relationship management to enterprise resource planning tools. Oracle’s CISO, Rob Duhart, in a blog post initially said that the threat actors were exploiting unspecified flaws that were patched in Oracle’s July software updates. An update to the post urged customers to apply patches for CVE-2025-61882.

News of the Clop extortion attacks first emerged last week after several businesses received communications from the group claiming that they had stolen sensitive data from their Oracle E-Business Suite instances. Some of the emails stated that the threat actor would provide proof of compromise (through “3 files or a data row”), and they told victims to contact them directly. Mandiant researchers, who have been investigating the incident, said they believe Clop is responding to the victim’s outreach and providing more specific extortion demands as follow-up.

Clop has been sending the extortion emails since last Monday, and Mandiant researchers warned that they may not have attempted to reach out to all victims yet. The threat actor has been behind many large-scale data theft and extortion attacks on managed file transfer solutions like the one on MOVEit in 2023.

Oracle in its security advisory also included Indicators of Compromise (IoCs) to support detection, hunting, and containment. Charles Carmakal, CTO and board advisor at Mandiant, said potentially impacted companies should take the necessary steps to investigate their environments to sniff out signs of compromise.

“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” he said in a LinkedIn post.