Oracle E-Business Suite zero-day exploitation: are controls keeping up?

TL;DR: Oracle patched CVE-2025-61882, a 9.8-rated unauthenticated Oracle E-Business Suite zero-day that Clop exploited for data theft and extortion after exploit code circulated publicly, according to Oligo Security. The incident shows why application-layer compromise and runtime visibility now matter as much as perimeter patching.

NHIMG editorial — based on content published by Oligo Security: CVE-2025-61882 and the Oracle E-Business Suite zero-day exploited in Clop extortion campaigns

By the numbers:

• Oracle E-Business Suite vulnerability CVE-2025-61882 carries a CVSS score of 9.8.

Questions worth separating out

Q: What breaks when an Oracle E-Business Suite zero-day is exploited without authentication?

A: The breach control model breaks because the application itself becomes the access path.

Q: Why do unauthenticated application exploits create so much more risk in ERP systems?

A: ERP systems hold high-value data and often sit deep in internal business processes, so compromise gives attackers both information and operational leverage.

Q: How do security teams know whether runtime controls are actually working?

A: They should be able to tie suspicious child processes, unexpected shells, and unusual outbound connections back to a specific application execution path.

Practitioner guidance

• Patch exposed Oracle EBS instances immediately Apply Oracle's Security Alert update for CVE-2025-61882 and confirm the October 2025 Critical Patch Update is installed first across all externally reachable environments.
• Hunt for exploitation artefacts in EBS workloads Search for reverse shell commands, unexpected child processes from the EBS Java service, and files such as exp.py, server.py, or oracle_ebs_nday_exploit*.zip in application hosts and adjacent systems.
• Review external exposure and obsolete versions Identify internet-facing EBS instances, validate version coverage across 12.2.3 through 12.2.14, and remove or isolate systems that remain reachable without compensating controls.

What's in the full article

Oligo Security's full article covers the operational detail this post intentionally leaves for the source:

• The exact exploit path against Oracle E-Business Suite BI Publisher Integration and how the SSRF vector enabled execution
• The incident timeline, including when exploit code circulated and when Oracle and Mandiant confirmed active abuse
• The indicator set for hunting compromise in EBS environments, including IPs, filenames, and reverse-shell artefacts
• The runtime detection examples showing how application-context telemetry ties exploitation to the precise code path

👉 Read Oligo Security's analysis of the Oracle E-Business Suite zero-day campaign →

Oracle E-Business Suite zero-day exploitation: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →