Cl0p ransomware extortion gang have a zero day in Oracle E-Business Suite (component: BI Publisher Integration) - which they’ve been exploiting since last month to steal data.
Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.
The details for the Oracle hack are as embarrassing as you'd imagine..
../
The craziest part of the Oracle story is they got the exploit chain via... LAPSUS$.
Before Oracle had an advisory, on Telegram LAPSUS$ posted a working zero day exploit - dated May 2025.
Yes, the teenagers at LAPSUS$ know more about Oracle's security vulnerabilities than Oracle.
-rw-r----- 1 root root 3713 Jun 15 18:19 exp.py
-rw-r--r-- 1 root root 2749 Oct 3 14:54 readme.md
-rw-r----- 1 root root 2651 May 16 10:07 server.py
Having large corporations pay hundreds of millions of US dollars in Bitcoin to teenagers to cover up their data breaches is fucking stupid by the way, as said teens then spend the bitcoin on exploits* - we're in a race to the bottom to arm teens with rocket launchers.
* one of the LAPSUS kids also allegedly ordered pizza to his nans house with bitcoin
APTs aren't nation states anymore, they're Advanced Persistent Teenagers as covering up breaches has lowered the bar. Global gov inaction.
@GossiTheDog > * one of the LAPSUS kids also allegedly ordered pizza to his nans house with bitcoin
That's the most 2025 sentence I have ever read
@snornik it really is wild what access a teenager has to the world, these days. I mean, I poked around and did things way back when, but there was so much less to exploit.
@snornik I missed out on that, I was keeping my nose clean in those days, and avoiding tempting knowledge that might get me behind bars.
@snornik no doubt, however there were far fewer things on 'the net' to begin with.
And yeah, you get to the point near the end there; smaller attack surface, not as much infrastructure to get into, possible to get in through someone's modem, but modem -> net -> modem was painfully slow.
I also think there's more of an enticing cat-n-mouse challenge these days, as security has changed and learned a lot since the modem days. hell, we used to use rsh, or telnet.
@snornik getting access to a router rsh or telnet was going through got access to passwords. *shrug*
FTP holds a soft spot in my heart as I once caught an MP3 release crew in a honey-pot and hosted for them for a while. They were some interesting folks.
@snornik I feel that. It's really a shame that we've allowed corporations to have such control over things.
@snornik I think it's a shame that the fallout from all of these exploits and hacks tends to affect the people, not the corporations.
@snornik Kevin Mitnick also got caught. ;)
Security is difficult and security costs money and companies are cheap.
That they do spend any money on security is probably what keeps it fun for the kids. It's a cat-n-mouse game these days.
Back in the day, you could probably sit on a mil server for months and do loud port-scans without raising any eyebrows.
omg path canonicalization is one of the first things we fixed in honey danber uucp … in 1983
@GossiTheDog I cannot stress enough how deceptive this tactic is.
First, Oracle gaslight their own customers into "if something happens, it's because you haven't patched". Then, after downloading a zero-day off Telegram finding out that they have been pwned by Scattered Lapsus$ Hunters, they quitely edit out the previous content.
And this is not some anonymous marketing writer, but the Chief Security Officer for one of the biggest corporations on the globe.
1/2
Oh for.... oh my god.
Nineteen Ninety Seven phoned and want their shitty path traversal bugs back!
Lets just throw in an SQL injection `DROP TABLE;` or buffer overrun while we're at it.
sigh.
@GossiTheDog No way! Surely Oracle's software doesn't have bugs, let alone stupid bugs like this. They told us so 10 years ago:
(Archived, because the original has disappeared from Oracle's site, for some unfathomable reason.)
@GossiTheDog Respectfully disagree lol. Compared to other straightforward bug analyses published by watchtowr, this exploit chain is pretty impressive, so no shame to Oracle.
Path traversal is nice and somewhat expected, but you don't see the double CLRF keep-alive trick everyday.
@frycos @GossiTheDog now I'm just wondering how they initially got the source code for EBS...because that chain looks pretty unlikely to be discoverable without source code access.
Did they pwn Oracle directly or was EBS running on prem at one of their previous targets
@GossiTheDog Crowdstrike has also released a blog post as well.
CrowdStrike is tracking a mass exploitation campaign almost certainly leveraging a novel zero-day vulnerability – now tracked as CVE-2025-61882 – targeting Oracle E-Business Suite (EBS) applications for the purposes of data exfiltration.
@GossiTheDog and this is the company that the government has paid a bazillion dollars to write the software and move the VA EHR system over too.
I suspect it's only a matter of time after the rollout before all of our military medical records will be breached.
@GossiTheDog ah classic Oracle. The same Oracle whose CISO had a meltdown and threatened to sue any security researchers who were obviously using their products against the license agreement.
Ref: https://www.itnews.com.au/news/oracle-cso-blasted-over-anti-security-research-rant-407776
Make automatic updates mandatory 😉👍
@GossiTheDog They replaced the whole blog post and somehow purged copies from WBM. However, they forgot to change the SEO URL which still hints at their original narrative: "Apply July 2025 CPU".
Cl0p had it, SLSH has it, and if the indicators on the exp aren't faked, they have had it since May or so. And now, everyone has it, I expect it to make CISA KEV by tomorrow.
@christopherkunz @GossiTheDog They've purged lots but luckily there's screenshots, e.g. on THN's TwiX account:
https://nitter.net/TheHackersNews/status/1973978248557261277
And quotes in both THN and BleepingComputer:
https://thehackernews.com/2025/10/google-mandiant-probes-new-oracle.html
Tenable also documents this "change" here:
https://www.tenable.com/blog/cve-2025-61882-faq-oracle-e-business-suite-zero-day-cl0p-and-july-2025-cpu
Kevin Beaumont
pobice
Dr. Christopher Kunz
Neil Craig
nadaka
snornik
Pope Bob the Unsane
Bernard Quatermass
BrianKrebs
peter honeyman
Łukasz Bromirski 
Stefan Eissing
Third spruce tree on the left
joe
VessOnSecurity
JA
frycos
wall-e
RossMadness
Mike Spooner
zl2tod
Cav
rtificial
Danny Palmer
I love this, so I
Joakim Fors
Christian Kündig
Simon Zerafa (Status: 
😊)
lp0 on fire 
doombunny
cynicalsecurity 
lj·rk
Fazal Majid
Joxean Koret (@matalaz)