Kevin BeaumontOct 6

Cl0p ransomware extortion gang have a zero day in Oracle E-Business Suite (component: BI Publisher Integration) - which they’ve been exploiting since last month to steal data.

https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/

Oracle patches EBS zero-day exploited in Clop data theft attacks

Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.

BleepingComputer
Show threadKevin BeaumontOct 6
A few days ago Oracle, via the media, blamed their own customers for not installing a July security update.. then when the media coverage stopped, quietly released a new security update for the actual exploited vulnerability. 🥴
Show threadKevin BeaumontOct 6

The details for the Oracle hack are as embarrassing as you'd imagine..

../

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

Show threadKevin BeaumontOct 7
Here's the original Oracle explanation - before the post mysteriously disappeared (even from Internet Archive etc).
Show threadDr. Christopher KunzOct 7

@GossiTheDog I cannot stress enough how deceptive this tactic is.

First, Oracle gaslight their own customers into "if something happens, it's because you haven't patched". Then, after downloading a zero-day off Telegram finding out that they have been pwned by Scattered Lapsus$ Hunters, they quitely edit out the previous content.

And this is not some anonymous marketing writer, but the Chief Security Officer for one of the biggest corporations on the globe.

1/2

Show threadŁukasz Bromirski Oct 7
@christopherkunz @GossiTheDog it wouldn't be their first, right?
Show threadDr. Christopher Kunz
@mr0vka @GossiTheDog Certainly not, hence my ire. Not much longer than half a year ago, Oracle Classic Cloud "lost" data in an incident that had me look on web.archive.org and despair at Oracle's wordsmithing: https://heise.de/-10336366 I think this is a system, not a one-off occurrence.
Data leak at Oracle: Up to 2000 German victims? What is known and what is not

Data from the "Oracle Classic" cloud is for sale on the darknet. Analysts agree: the data is genuine. But some pieces of the puzzle are still missing.

heise online
Oct 7 at 1:17pmWeb