Notifications
Clear all
Topic starter
07/06/2026 9:18 pm
TL;DR: Oracle patched CVE-2025-61882, a 9.8-rated unauthenticated Oracle E-Business Suite zero-day that Clop exploited for data theft and extortion after exploit code circulated publicly, according to Oligo Security. The incident shows why application-layer compromise and runtime visibility now matter as much as perimeter patching.
NHIMG editorial — based on content published by Oligo Security: CVE-2025-61882 and the Oracle E-Business Suite zero-day exploited in Clop extortion campaigns
By the numbers:
- Oracle E-Business Suite vulnerability CVE-2025-61882 carries a CVSS score of 9.8.
Questions worth separating out
Q: What breaks when an Oracle E-Business Suite zero-day is exploited without authentication?
A: The breach control model breaks because the application itself becomes the access path.
Q: Why do unauthenticated application exploits create so much more risk in ERP systems?
A: ERP systems hold high-value data and often sit deep in internal business processes, so compromise gives attackers both information and operational leverage.
Q: How do security teams know whether runtime controls are actually working?
A: They should be able to tie suspicious child processes, unexpected shells, and unusual outbound connections back to a specific application execution path.
Practitioner guidance
- Patch exposed Oracle EBS instances immediately Apply Oracle's Security Alert update for CVE-2025-61882 and confirm the October 2025 Critical Patch Update is installed first across all externally reachable environments.
- Hunt for exploitation artefacts in EBS workloads Search for reverse shell commands, unexpected child processes from the EBS Java service, and files such as exp.py, server.py, or oracle_ebs_nday_exploit*.zip in application hosts and adjacent systems.
- Review external exposure and obsolete versions Identify internet-facing EBS instances, validate version coverage across 12.2.3 through 12.2.14, and remove or isolate systems that remain reachable without compensating controls.
What's in the full article
Oligo Security's full article covers the operational detail this post intentionally leaves for the source:
- The exact exploit path against Oracle E-Business Suite BI Publisher Integration and how the SSRF vector enabled execution
- The incident timeline, including when exploit code circulated and when Oracle and Mandiant confirmed active abuse
- The indicator set for hunting compromise in EBS environments, including IPs, filenames, and reverse-shell artefacts
- The runtime detection examples showing how application-context telemetry ties exploitation to the precise code path
👉 Read Oligo Security's analysis of the Oracle E-Business Suite zero-day campaign →
Oracle E-Business Suite zero-day exploitation: are controls keeping up?
Explore further
08/06/2026 9:11 am
Application-layer compromise has become an identity problem, not just a patch problem. When an unauthenticated flaw gives remote code execution inside Oracle E-Business Suite, the application itself becomes the effective access broker for ERP data. That shifts the security question from who logged in to what the workload was coerced into doing. Practitioners should treat externally reachable business applications as privileged execution environments, not passive software assets.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility.
A question worth separating out:
Q: Who is accountable when a third-party enterprise application is exploited through a zero-day?
A: The application vendor owns the flaw, but the operator owns exposure, segmentation, patching, and detection in its environment. For practitioner teams, accountability sits with whoever can reduce blast radius after deployment. That means vendor risk, workload ownership, and operational response must be defined before the next zero-day appears.
👉 Read our full editorial: Oracle E-Business Suite zero-day exploitation exposes runtime blind spots
