Kevin BeaumontOct 6, 2025

Cl0p ransomware extortion gang have a zero day in Oracle E-Business Suite (component: BI Publisher Integration) - which they’ve been exploiting since last month to steal data.

https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/

Oracle patches EBS zero-day exploited in Clop data theft attacks

Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.

BleepingComputer
Show threadKevin BeaumontOct 6, 2025
A few days ago Oracle, via the media, blamed their own customers for not installing a July security update.. then when the media coverage stopped, quietly released a new security update for the actual exploited vulnerability. 🥴
Show threadKevin BeaumontOct 6, 2025

The details for the Oracle hack are as embarrassing as you'd imagine..

../

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

Show threadKevin BeaumontOct 7, 2025
Here's the original Oracle explanation - before the post mysteriously disappeared (even from Internet Archive etc).
Show threadDr. Christopher KunzOct 7, 2025

@GossiTheDog The timeline checks out: The exploit was posted on TG on October 3, early afternoon. It was also first uploaded to VT on October 3. After Oracle woke up to the news on October 4, they quickly assessed the damage and pivoted their narrative to "discovered during our investigation". aka "downloaded from telegram".

This fits a repetitive pattern of what I would diplomatically call "unethical disclosure practice". If you update your publications, AT LEAST mark the edits.

2/2

Show threadMartin Seeger

@christopherkunz One should create a dictionary for compromised enterprises. Something like:

  • Discovered during our investigation: someone showed us a telegram chat
  • Deep technical analysis: We actually for once looked into a log file
  • Due to unforeseen circumstances: Our unpatched system had a vulnerability
  • Together with technical specialists: We hired everyone who picked up the phone
  • We immediately informed the authorities and customer: we kept back the information as legally possible
  • Your security is important to us: CEO bonus comes first

@GossiTheDog

Oct 7, 2025 at 10:42amWeb
Show threadDr. Christopher KunzOct 7, 2025
@masek @GossiTheDog . We informed the appropriate authorities: We ghosted DPOs and consumer orgs but called the FBI to help us decrypt the files. We NDAed everyone who can hold a pen.
Show threadOkunaOct 7, 2025
@masek @christopherkunz @GossiTheDog
There our two types of companies, one which got hacked and the other who didn't know they got hacked.
John Chambers
Show threadMartin SeegerOct 7, 2025

@christopherkunz Forgot:

  • Technically sophisticated attack: We left the credential in an open S3 bucket
  • Criminal energy: bored teenager
  • Sophisticated security infrastructure: We have somewhere a firewall we last patched three years ago
  • Started our incident response process: ran around flapping our arms

@GossiTheDog

Show threadDr. Christopher KunzOct 7, 2025
@masek @GossiTheDog * Novel multi-factor authentication: To complete the log-in procedure, please stare directly at the sun.