In a significant cybersecurity development, Oracle has announced the release of a critical patch to address a zero-day vulnerability currently being exploited by the notorious hacking group Clop. The vulnerability, found in Oracle’s E-Business Suite, a key product for running business operations including customer and human resources data management, allows unauthorized access to sensitive information without the need for login credentials.
Oracle’s Chief Security Officer, Rob Duhart, updated the company’s stance over the weekend, urging immediate action from customers to install the patch. The vulnerability, officially cataloged as CVE-2025-61882, poses a severe risk due to its exploitability over a network without authentication, potentially exposing personal data of corporate executives and other sensitive customer information.
The E-Business Suite is utilized by thousands of organizations worldwide, making the stakes high for data security. The zero-day designation underscores the urgency, as it indicates that the vulnerability was actively exploited before Oracle could issue a fix.
This news comes after an earlier post by Duhart, which suggested that the issue stemmed from previously patched vulnerabilities from July, implying that the related extortion activities had ceased. However, the discovery of this new zero-day reveals that Clop continued to target Oracle’s E-Business Suite with unknown flaws during that period.
On October 2, Google’s security researchers exposed Clop’s activities, noting that the group had sent extortion emails to Oracle executives around September 29, threatening to release their personal information online. Charles Carmakal, CTO of Google’s Mandiant, an incident response unit, highlighted the vulnerability’s exploitation in a LinkedIn post on Sunday, emphasizing the scale and impact of the campaign.
Key points about the attack include:
- Clop hackers are exploiting a zero-day vulnerability in the Oracle E-Business Suite.
- Executives at major companies are receiving extortion emails from the ransomware group.
- The vulnerability, CVE-2025-61882, can be exploited without a username and password.
- Oracle has released a security patch and is advising immediate updates.
- The flaw allows attackers to gain control of the Concurrent Processing feature in the suite.
- Thousands of businesses may have their customer and HR data compromised.
- Clop has a history of similar attacks and has resumed campaigns since late September.
The security advisory from Oracle also included indicators of compromise to assist affected companies in identifying signs of intrusion. The Concurrent Processing feature of the Oracle E-Business Suite is the focal point of the vulnerability, granting attackers potential control over critical business functions.
The impact of this vulnerability is profound, with millions of data records potentially accessed and stolen, given the widespread use of Oracle’s platform. Carmakal’s insights on LinkedIn shed light on the situation, revealing that Clop had previously exploited other Oracle vulnerabilities, leading to data theft from various organizations just a few months ago.
Customers are advised to follow Oracle’s guidance and apply the patch immediately to protect against this and any potential future exploitation attempts by Clop or other malicious actors. The cybersecurity community will be closely monitoring the situation for any new developments as organizations scramble to secure their systems and data.
Source: Olhar Digital
