More
- Awards
- Blogs
- BrandPosts
- Events
- Podcasts
- Videos
- Enterprise Buyer’s Guides
news
Computer mice can eavesdrop on private conversations, researchers discover
Oct 8, 2025 4 mins
news
Newly-discovered threat group hijacking IIS servers for SEO fraud, warns Cisco Talos
Oct 3, 2025 4 mins
news
Red Hat OpenShift AI weakness allows full cluster compromise, warns advisory
Oct 2, 2025 3 mins
news
Microsoft plots new path for Sentinel, adding agentic AI features
Oct 1, 2025 5 mins
news
New Supermicro BMC vulnerabilities open servers to malicious attacks on firmware
Sep 25, 2025 1 min
news
WatchGuard patches ‘critical’ VPN flaw in firewalls that could lead to compromise
Sep 18, 2025 4 mins
news
Delmia Apriso customers face patching emergency after CISA warns of exploit
Sep 15, 2025 4 mins
news
Relief for European Commission as court upholds EU Data Privacy Framework agreement with US
Sep 3, 2025 5 mins
Information about the vulnerability exposed by EBS portals is spreading, raising likelihood of new attacks, experts warn.
Credit: Tada Images – shutterstock.com
It’s the bad news that many customers of Oracle E-Business Suite (EBS) have been dreading: reports of ransomware attacks targeting the software have turned out to be connected to a serious zero-day vulnerability that requires immediate patching.
The first indications that something might be awry emerged last week from Halcyon, Google’s Threat Intelligence Group (GTIG), and Mandiant, which issued alerts that one of the world’s most active extortion groups, Cl0p, was probably behind recent email demands sent to Oracle customers running internet-facing EBS ERP portals.
Although there was some initial uncertainty about the scope, severity, and attribution of the attacks, these reports revealed worrying details, including unusually large ransom demands of up to $50 million backed by proof of compromise such as screenshots and file trees.
“We are the Cl0p team. If you haven’t heard about us, you can Google about us on the Internet,” began one of the ransom notes, re-published by a news site.
The note went on to make the usual demand for payment, backed by threats to expose stolen data if ransom was not paid.
The worry was how the attackers were compromising victims. During 2025, Oracle has patched several important EBS security issues, including CVE-2025-30727 affecting the iSurvey Module, and CVE-2025-21541 affecting Admin Screens and Grants UI, neither known to have been exploited.
The flaw exploited as part of the latest attack remains in question. A blog last week by Oracle’s CSO, Rob Duhart, indicated that multiple vulnerabilities from the July 2025 Oracle Critical Patch Update (CPU) might be involved. However, this was later updated to remove that reference.
A post by Charles Carmakal of Mandiant still refers to multiple vulnerabilities, but the focus has now shifted to a new remote code execution (RCE) flaw, CVE-2025-61882, as the main culprit. The fact that Oracle issued an emergency patch for it during the weekend seems to confirm this.
Initial access by Cl0p dates to August, which means that attackers have had plenty of time to steal large amounts of data. Extortion emails were sent to victims from September 29 onwards, but might not yet have reached all victims, Carmakal cautioned.
“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” he said.
Red alert: Patch now
Rated a ‘critical’ 9.8 on CVSS, CVE-2025-61882 is a vulnerability in the EBS BI Publisher Integration component of Oracle E-Business Suite affecting versions 12.2.3 to 12.2.14, which is remotely exploitable without authentication.
Customers should apply the latest patch after first applying the critical patch update from October 2023 if they hadn’t already done so. Any versions of the software updated before October 4 should be considered at risk.
“Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the company warned.
Oracle also published a list of indicators of compromise (IoCs), including IP addresses, observed commands, and malware signatures, to aid in detection.
“It’s likely that almost no one patched over the weekend. We’re waking up to a critical vulnerability with public exploit code and unpatched systems everywhere,” said Jake Knott, principal security researcher at continuous security testing company, watchTowr.
“We fully expect to see mass, indiscriminate exploitation from multiple groups within days. If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls – fast.”
According to Zbyněk Sopuch, CTO of data security vendor, Safetica, enterprises should also note the evolving cyber criminal behavior signaled by recent ransomware attacks.
“The targeted systems-of-choice for thieves include ERP, finance, HR, and the typical points of entry are via admin credentials and third-party connectors, such as VPNs, middleware, and API service accounts, which tend to have open access privileges,” said Sopuch.
He recommended that companies isolate critical applications as much as possible, while making protections such as multi-factor authentication (MFA) standard for admin logins and integration or API access points.
“Conversely, give service and integration accounts minimum access or simple access-appropriate-to-role permissions, and routinely rotate keys,” he said.
Zero-day vulnerabilities seem to be particularly favored by Cl0p, with the 2023 attack against the MOVEit file transfer customers exploiting CVE-2023-34362 a high-profile example. Other attacks with the same approach included those against Accellion in 2020, and SolarWinds in 2021.
The lesson is that organizations can detect incursions only if they are continuously monitoring all risk points in the attack surface, such as external access points and logins, said Sopuch.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
John E. Dunn is a veteran cybersecurity reporter, specializing in crisis response, ransomware, data breaches, encryption, quantum computing and QKD, DevSecOps, managed services, cybersecurity in education, retail cybersecurity, vulnerability reporting, and cybersecurity ethics.
John is a former editor of the UK editions of Personal Computer Magazine, LAN Magazine, and Network World. In 2003 he co-founded Techworld, since when he has covered cybersecurity and business computing for a range of publications including Computerworld, Forbes, Naked Security, The Register, and The Times.
More from this author
`,
cio: `
🚀 The new CIO.com hybrid search: 🔍 Explore CIO content smarter, faster and AI powered. ✨
`,
nww: `
🚀 The new NetworkWorld.com hybrid search: 🔍 Explore NetworkWorld content smarter, faster and AI powered. ✨
`,
cw: `
🚀 The new Computerworld.com hybrid search: 🔍 Explore Computerworld content smarter, faster and AI powered. ✨
`,
cso: `
🚀 The new CSOonline.com hybrid search: 🔍 Explore CSO content smarter, faster and AI powered. ✨
`
};
const sharedStyles = `
`;
const publisher = foundry_get_publisher();
const htmlContent = contentSwitch[publisher];
if (!htmlContent || !document.body) return;
document.body.insertAdjacentHTML(“afterbegin”, htmlContent + sharedStyles);
const bar = document.querySelector(“.section-block–announcementbar”);
if (bar) {
requestAnimationFrame(() => {
bar.classList.add(“section-block–announcementbar–visible”);
});
}
const btn = document.querySelector(“.section-block–announcementbar .reset-button”);
const searchIcon = document.querySelector(‘.header__icon-button[data-menu-trigger=”search”] svg’);
const searchTrigger = document.querySelector(‘[data-menu-trigger=”search”]’);
if (searchIcon) {
searchIcon.innerHTML = ‘
‘;
}
if (btn && searchTrigger) {
btn.addEventListener(“click”, () => searchTrigger.click());
}
console.log(“[MISO SCRIPT] Conditions met, initializing Miso search announcements.”);
};
initMisoSearchAnnouncements();
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentYouTube = consentManager.checkConsentByVendors([
‘YouTube’,
‘YT’
]);
if (hasConsentYouTube.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[YOUTUBE SCRIPT] Consent not given for YouTube.’);
} else {
console.log(‘[YOUTUBE SCRIPT] Consent given for YouTube. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGAM = consentManager.checkConsentByVendors([
‘Google Ad Manager’,
‘GAM’
]);
if (hasConsentGAM.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GAM SCRIPT] Consent not given for GAM.’);
} else {
console.log(‘[GAM SCRIPT] Consent given for GAM. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGoogleFonts = consentManager.checkConsentByVendors([
‘Google Fonts’,
‘Google Web Fonts’
]);
if (hasConsentGoogleFonts.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GOOGLE FONTS SCRIPT] Consent not given for Google Fonts.’);
} else {
console.log(‘[GOOGLE FONTS SCRIPT] Consent given for Google Fonts. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentAdobeTypekit = consentManager.checkConsentByVendors([
‘Adobe Typekit’
]);
if (hasConsentAdobeTypekit.every(vendor => vendor[‘Has Consent’] === true)) {
if (foundry_is_edition(‘kr’)) {
const link = document.createElement(‘link’);
link.rel = ‘stylesheet’;
link.href = ‘https://use.typekit.net/ihi5tse.css’;
document.head.appendChild(link);
}
}
});
document.addEventListener(‘consentManagerReady’, () => {
const vendors = [‘Subscribers’];
const hasConsentSubscribers = consentManager.checkConsentByVendors(vendors);
if (hasConsentSubscribers.some(vendor => vendor[‘Has Consent’] === false)) {
return;
} else {
if (foundry_is_language(‘en’)) {
console.log(‘Language is English’);
// subscribers english ..
}
if (foundry_is_edition(‘kr’)) {
console.log(‘Edition is Korean’);
// subscribers in korean ..
}
if (foundry_is_edition(‘ja’)) {
console.log(‘Edition is Japanese’);
// subscribers in japanese ..
}
}
});
