Oracle releases emergency patch for E-Business Suite as ransomware gang pushes extortion campaign

Oracle has released an urgent security alert about a critical vulnerability in its E-Business Suite while they investigate an extortion campaign targeting enterprise customers. Threat actors claiming affiliation with the Cl0p ransomware gang have launched aggressive attacks demanding ransoms as high as $50 million from organizations worldwide.

The reported vulnerability is tracked as CVE-2025-61882 (CVSS score 9.8), is a remote code execution vulnerability in Oracle Concurrent Processing's BI Publisher Integration component, affecting Oracle E-Business Suite versions 12.2.3-12.2.14, remotely exploitable without authentication via HTTP protocol.

Oracle strongly recommends that customers apply the security updates immediately, noting that the October 2023 Critical Patch Update is a prerequisite for implementing these fixes. 

Indicators of compromise are two suspicious IP addresses (200.107.207.26 and 185.181.60.11) exhibiting potential GET and POST activity, command signatures establishing outbound TCP connections, and SHA-256 file hashes of circulating proof-of-concept exploit code specifically named "oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip" and associated Python scripts.

It's not clear whether this vulnerability disclosure is related to the extortion campaign that began around September 29, 2025. Rob Duhart, Oracle's Chief Security Officer, confirmed that numerous Oracle E-Business Suite customers have received extortion emails from threat actors claiming affiliation with the Cl0p ransomware group. Oracle's investigation has found potential exploitation of previously identified vulnerabilities that were addressed in the July 2025 Critical Patch Update.