Oracle patches flaw in E-Business Suite exploited by Clop ransomware group

Oracle patched a flaw in its E-Business Suite (EBS) that’s been actively exploited in the wild by the Clop ransomware gang.

In its Oct. 4 advisory, Oracle said the vulnerability patches CVE-2025-61882, a 9.8 bug that it said was remotely exploitable with authentication.

Oracle strongly recommended that customers apply the patch as soon as possible.

The patch comes on the heels of SC Media reporting that Oracle confirmed on Oct. 2 that some of its EBS customers have received extortion emails in a wave of Clop attacks that exploited flaws despite Oracle patching nine other bugs in July 2025.

Meanwhile, Charles Carmakal, board advisor and CTO at Google Mandiant, posted Oct. 5 on LinkedIn that Clop exploited multiple vulnerabilities in Oracle EBS that let them steal large amounts of data from several victims in August 2025.

“Clop has also been sending extortion emails to several victims since last Monday,” said Carmakal. “However, please note they may not have attempted to reach out to all victims yet. Given the broad mass zero-day exploitation that has already occurred — and the n-day exploitation that will likely continue by other actors — irrespective of when the patch is applied, organizations should examine whether they were already compromised.”

Stephen Fewer, senior principal researcher at Rapid7, said the bug patched over the weekend was a serious situation because it's a newly disclosed vulnerability that’s known to have been exploited in-the-wild as a zero-day since August.

“That’s over a month prior to this weekend's vendor disclosure, allowing the attacker ample time to identify and compromise multiple victims,” said Fewer. “Furthermore, the attribution from Mandiant to the Clop ransomware group signals the impact to affected organizations could be devastating. Clop has been known to steal confidential data and extort their victims.”

Jason Soroko, senior fellow, at Sectigo said security teams should consider this one a “patch now” situation. Soroko said it’s no longer a lab scenario with the confirmed exploitation by Clop: successful attacks can lead to full control of the application tier, database access, large scale data theft, and business process disruption.

“Expect broad scanning and copycat campaigns that convert any exposed instance into a foothold within minutes,” said Soroko. “Even environments that patch today must assume the possibility of preexisting compromise and persistence. Start threat hunting now by reviewing web and database logs, looking for new admin accounts, unexpected scheduled jobs, unfamiliar binaries or web shells, spikes in outbound traffic, and large exports.”

Aaron Beardslee, manager of security research at Securonix, added that he’s concerned that Clop’s resurgence this year marks another wake-up call about the fragility our collective cyber defenses. Beardslee said attackers are constantly probing for weaknesses — whether in technology, process or people — and they only need to find one crack to take advantage.

“This exploitation shows how quickly those cracks can widen when coordination, funding, or manpower are stretched thin,” said Beardslee. “Too many organizations still run lean and mean security teams, without dedicated threat hunters watching for subtle signs of intrusion or exfiltration. That's a dangerous gamble in today's landscape, where gaps in detection and response are being discovered and weaponized faster than they can be patched.”