- Oracle patched a critical zero-day RCE flaw in E-Business Suite, actively exploited by ransomware actors
- Attackers used compromised email accounts to extort victims; FIN11 and Cl0p may be involved
- CVE-2025-61882 scored 9.8/10; exploitation requires no authentication and enables full system takeover
Oracle has released a patch to address a zero-day vulnerability in its E-Business Suite which was being actively exploited by ransomware actors.
In early October 2025, cybercriminals started mailing executives at various American organizations, claiming to have stolen sensitive files from their Oracle E-Business Suite systems. At the time, both Oracle and the wider cybersecurity community were not certain if the breaches actually happened, or if this was just a bluff to get the victims to pay a ransom demand.
Now, it seems the claims were legitimate since Oracle issued an emergency patch to fix a critical unauthenticated remote code execution (RCE) flaw in E-Business Suite versions 12.2.3-12.2.14.
Payment data secure
The bug is tracked as CVE-2025-61882, and was given a severity score of 9.8/10 (critical). An unauthenticated attacker with HTTP network access could use it to compromise, and fully take over, the Oracle Concurrent Processing component of E-Business Suite.
“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle said in the advisory. “If successfully exploited, this vulnerability may result in remote code execution.”
Earlier reports linked the campaign to multiple threat actors, including the infamous Cl0p, and a financially motivated actor called FIN11.
Charles Carmakal, CTO of Mandiant – Google Cloud, said the emails are being sent from hundreds of compromised email accounts – including one known to belong to FIN11: “We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion,” Carmakal said.
At the same time, the emails held contact addresses that were previously listed on Cl0p’s data leak site, so it is possible that both groups are involved in the campaign, or are simply sharing resources. The evidence is not compelling enough to confirm the links, though.
Oracle’s Indicators of Compromise (IoC), published with the advisory, also suggest the involvement of Scattered Lapsus$ Hunters.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Add Comment