TL;DR
Oracle issued an out-of-band patch for a critical zero-day in Oracle E-Business Suite (EBS) after reports of active exploitation and extortion emails to executives that reference Oracle systems. If you run EBS 12.2.3–12.2.14, assume attempts, patch immediately, and restrict exposure of web components (BI Publisher / Concurrent Processing) while you verify.
What happened
- On Oct 2–3, 2025, Google and Oracle warned that a campaign tied to Cl0p was sending high-volume extortion emails to executives, claiming theft of data from Oracle environments.
- Oracle then published an emergency Security Alert for CVE-2025-61882, a pre-auth remote code executionflaw in E-Business Suite; exploitation was observed in the wild. Multiple outlets and CERT advisories corroborate active exploitation.
- Security researchers note the targeting of EBS web components, including the BI Publisher / Concurrent Processing integration path.
Why Oracle released an out-of-band patch
This wasn’t a routine quarterly CPU issue: exploitation was happening now, so Oracle shipped a standalone, out-of-cycle fix to stop unauthenticated RCE on internet-reachable (or otherwise exposed) EBS instances. Oracle’s alert stresses network-based exploitation without credentials; trade press and researchers report mass exploitation claims linked to Cl0p.
Who is affected
- Product/versions: Oracle E-Business Suite 12.2.3–12.2.14.
- Risk factors: Any EBS web tier reachable from the internet (directly or via misconfigured access), especially instances exposing BI Publisher/Concurrent Processing endpoints.
What to do (fast, actionable)
1) Patch sequence (today)
- Install Oracle’s Security Alert fix for CVE-2025-61882 for your exact EBS version.
- Ensure your instance is current on recent Critical Patch Updates (Oracle has separately urged customers to apply the July 2025 CPU for EBS).
- Some expert guidance notes an October 2023 CPU baseline is required before applying the new fix—verify prerequisites in Oracle’s documentation for your deployment.
2) Reduce exposure while patching
- Remove direct internet access to EBS where possible; front with VPN/Zero Trust.
- Restrict or rate-limit access to BI Publisher / Concurrent Processing URLs at the WAF/load balancer.
- Harden auth (MFA for admin/integration accounts) and rotate credentials used by integrations.These steps align with the components Oracle and public advisories flag as relevant to exploitation paths.
3) Hunt for signs of compromise
- Review web access logs for unusual requests to BI Publisher routes or atypical POST bodies.
- Check Concurrent Requests / BI Publisher jobs for spikes, odd schedules, or unknown owners.
- Look for new or modified EBS users/roles you didn’t create.
- Ask execs to forward any “we stole your Oracle data” emails to IT; do not respond to demands. These behaviors map to the current campaign and Oracle’s alert context.
Indicators & references
Oracle’s alert and multiple security write-ups include technical detail and, in some cases, indicators of compromise (IOCs). Use them to seed your searches and SIEM queries.
FAQ
Is Oracle Fusion Cloud affected?Current reporting and Oracle’s alert focus on on-prem E-Business Suite. There’s no evidence the same zero-day hits Fusion SaaS; still follow Oracle guidance for your estate.
We didn’t get an extortion email—are we safe?Not necessarily. The email wave is one signal. Patch and check logs regardless.
Do we have to take downtime?Treat this like a priority change. Schedule a short, planned window to apply the fix and validate. Oracle’s alert provides version-specific instructions.
How Stamm Tech can help
- Exposure audit: Version check, internet surface scan, BI Publisher/Concurrent Processing review.
- Patch + rollback plan: Verify prerequisites, apply the alert fix, snapshot/backup, and post-patch validation.
- Threat hunt: Log triage for suspicious requests/jobs/accounts; IOC sweeps; credential rotation.
- Hardening: Access controls, WAF rules, MFA, and monitoring.
Need help? Let’s meet and talk.