Oracle has released an emergency security alert for a critical zero-day vulnerability in its E-Business Suite that could allow attackers to execute malicious code remotely without any authentication—a worst-case scenario for enterprise security.
The move comes after hackers claiming affiliation with the notorious Cl0p ransomware gang launched a massive extortion campaign targeting enterprise customers, demanding ransoms up to $50 million.
The vulnerability, tracked as CVE-2025-61882, carries a maximum CVSS severity score of 9.8 out of 10, affecting Oracle E-Business Suite versions 12.2.3 through 12.2.14.
The flaw resides in the BI Publisher Integration component of Oracle Concurrent Processing and can be exploited over HTTP without requiring usernames, passwords, or any user interaction.
Oracle confirmed it's investigating breaches at "numerous customers" following the extortion campaign that began Monday. Rob Duhart, Oracle's chief security officer, acknowledged the company is "aware" some customers received extortion emails and urged immediate application of security updates.
The attacks exploit known vulnerabilities that Oracle had patched in July, suggesting many organizations failed to apply critical updates.
"This vulnerability is remotely exploitable without authentication, and if successfully exploited, may result in remote code execution," Oracle stated in its October 4 advisory.
The company identified active exploitation through two IP addresses (200.107.207.26 and 185.181.60.11) and provided file hashes of circulating proof-of-concept exploit code. The company is strongly urging customers to apply security patches immediately, noting that the October 2023 Critical Patch Update is a prerequisite for the fix.
With Oracle E-Business Suite being a cornerstone of enterprise resource planning (ERP) for thousands of organizations globally, successful attacks could compromise sensitive financial data, supply chain information, and critical business operations.
The Cl0p connection raises serious concerns. The U.S. Cybersecurity and Infrastructure Security Agency described Cl0p in 2023 as "one of the largest phishing and malspam distributors worldwide," with over 3,000 U.S. victims and 8,000 globally.
The group's involvement in exploiting Oracle E-Business Suite—which manages critical financial, supply chain, and customer relationship operations for thousands of enterprises—could expose massive amounts of sensitive corporate data.
Organizations running affected versions should prioritize patching immediately, monitor their systems for the published IOCs, and consider temporarily restricting HTTP access to BI Publisher Integration components until patches can be deployed.
Oracle noted that while only supported versions receive official patches, earlier unsupported versions likely contain the same vulnerability and should be upgraded to supported releases.