CVE-2025-61882: Frequently Asked Questions About Oracle E-Business Suite (EBS) Zero-Day and Associated Vulnerabilities
Following reports the Cl0p ransomware group has been extorting Oracle E-Business Suite customers, Oracle released an advisory for a zero-day that was exploited in the wild.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a newly disclosed Oracle zero-day vulnerability that was exploited in the wild along with other recently patched vulnerabilities part of Oracle’s initial investigation.
FAQ
What is the Oracle zero-day vulnerability?
On October 4, Oracle published a Security Alert Advisory for a new zero-day vulnerability in E-Business Suite (EBS), Oracle’s integrated business application suite for various business functions including order management, logistics, procurement and more.
What is the CVE for this Oracle zero-day vulnerability?
| CVE | Description | Affected Component | CVSSv3 |
|---|---|---|---|
| CVE-2025-61882 | Oracle Concurrent Processing Remote Code Execution Vulnerability | Business Intelligence Publisher (BI Publisher) Integration | 9.8 |
Was CVE-2025-61882 exploited in the wild as a zero-day?
Yes. As part of its Security Alert Advisory, Oracle included multiple indicators of compromise (IOCs). Additionally, a blog post from Rob Duhart, Chief Security Officer at Oracle, was updated to highlight the discovery of this zero-day during its investigation into reports of these compromises.
What are these reports of Oracle EBS customers being compromised?
On October 2, there were reports that Oracle customers received emails from the ransomware group known as Cl0p claiming to have stolen information from their EBS systems. On October 3, Oracle confirmed the reports of attempted extortion, adding that their preliminary investigation revealed exploitation of EBS vulnerabilities patched in the July 2025 Oracle Critical Patch Update (CPU).
What were the EBS vulnerabilities that were patched in the July 2025 Oracle CPU?
There were nine vulnerabilities patched in the July 2025 Oracle CPU:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-30743 | Oracle Lease and Finance Management | 8.1 |
| CVE-2025-30744 | Oracle Mobile Field Service | 8.1 |
| CVE-2025-50105 | Oracle Universal Work Queue | 8.1 |
| CVE-2025-50071 | Oracle Applications Framework | 6.4 |
| CVE-2025-30746 | Oracle iStore | 6.1 |
| CVE-2025-30745 | Oracle MES for Process Manufacturing | 6.1 |
| CVE-2025-50107 | Oracle Universal Work Queue | 6.1 |
| CVE-2025-30739 | Oracle CRM Technical Foundation | 5.5 |
| CVE-2025-50090 | Oracle Applications Framework | 5.4 |
Did Oracle originally say that these vulnerabilities were potentially used in these attacks?
Yes, Oracle did highlight these flaws in a previous version of Duhart’s blog post:
Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates.
However, this reference has since been removed from the blog and replaced with a reference to CVE-2025-61882.
Does this removal mean the vulnerabilities from the July 2025 CPU were not used in these attacks?
The removal of the reference would imply the July 2025 CPU vulnerabilities were not utilized in these attacks. However, there are external reports that suggest that the Cl0p ransomware group exploited multiple vulnerabilities, including some from the July 2025 CPU release. This has not been officially confirmed by Oracle.
Who is the Cl0p ransomware group?
Cl0p (or “Clop”) is a notorious ransomware group that has been operating since February 2019. It began as a traditional ransomware group conducting double-extortion attacks, where it would encrypt and exfiltrate files, then extort victims with the threat of publishing them. The group later pivoted to campaigns focused purely on data exfiltration and extortion. Cl0p has a penchant for targeting and exploiting zero-day vulnerabilities in file transfer software including Accellion, MOVEit Transfer, GoAnywhere, and Cleo.
Is Cl0p identified by any other names?
Cl0p is often referred to or linked to TA505 and FIN11, groups that have deployed the Cl0p ransomware and conducted extortion attacks leveraging various zero-day vulnerabilities.
Is there a proof-of-concept (PoC) available for these vulnerabilities?
As of October 5, there were no public proof-of-concept (PoC) exploits for CVE-2025-61882 or the other nine CVEs patched in the July 2025 Oracle CPU release.
Are patches or mitigations available for CVE-2025-61882 and other associated vulnerabilities?
Yes, patches are available. The zero-day vulnerability, CVE-2025-61882, and the nine CVEs from the July 2025 CPU all affect the same versions of Oracle EBS:
| Affected Product | Affected Versions | Fixed Versions (CVE-2025-61882) | Fixed Versions(July 2025 CPU) |
|---|---|---|---|
| Oracle E-Business Suite | 12.2.3 through 12.2.14 | Patch Availability Document | Patch Availability Document |
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
Oracle Zero-Day:
Oracle EBS July 2025 CPU vulnerabilities:
- CVE-2025-30743
- CVE-2025-30744
- CVE-2025-50105
- CVE-2025-50071
- CVE-2025-30746
- CVE-2025-30745
- CVE-2025-50107
- CVE-2025-30739
- CVE-2025-50090
These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
- Oracle Security Alert Advisory - CVE-2025-61882
- Apply Oracle Security Alert CVE-2025-61882 for Oracle E-Business Suite (EBS)
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Related articles
The Buy Vs. Build Dilemma: Pitfalls of the DIY Approach to Exposure Management
Some security teams are taking a do-it-yourself approach to exposure management, according to a recent study conducted by Enterprise Strategy Group, now part of Omdia, in partnership with Tenable. But are they really ready for the hidden costs and challenges that come with a homegrown system?
CVE-2025-20333, CVE-2025-20362: Frequently Asked Questions About Zero-Day Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) Vulnerabilities
Cisco published advisories and a supplemental post about three zero-day vulnerabilities, two of which were exploited in the wild by an advanced threat actor associated with the ArcaneDoor campaign.
How to Future-Proof Your Cybersecurity Spend
A recent study conducted by Enterprise Strategy Group, now part of Omdia, in partnership with Tenable reveals that complexity is driving a growing number of organizations to increase their exposure management budgets. Here are 5 considerations to help make the most of your investments.
- Exposure Management
Contact our sales team