- Oracle patched a critical zero-day RCE error in e-business suite, actively exploited by ransomware actors
- Attackers used compromised E -mail accounts to extort victims; Fin11 and CL0P may be involved
- CVE-2025-61882 scored 9.8/10; Utilization requires no approval and enables the acquisition of full system
Oracle has released a patch to tackle a zero-day vulnerability in his e-business suite, which was actively exploited by ransomware actors.
In early October 2025, cyber criminals began sending leaders to various US organizations and claimed to have stolen sensitive files from their Oracle E-Business Suite Systems. At that time, both Oracle and the wider cyber security community were not sure if the violations actually happened or whether this was just a bluff to get the victims to pay a ransom demand.
Now it seems that the claims were legitimate when Oracle issued an emergency to resolve a critically unauthorized remote code performance (RCE) Error in E-Business Suite versions 12.2.3-12.2.14.
Payment data secure
The error is traced as CVE-2025-61882 and got a severity of 9.8/10 (critical). An unauthorized striker with HTTP network access could use it to compromise and fully take over the Oracle Concurrent Processing Component of E-Business Suite.
“This vulnerability is externally utilizable without approval, ie it can be utilized over a network without the need for a username and password,” Oracle said in the counseling. “If it is successfully utilized, this vulnerability can result in the execution of remote code.”
Previous reports linked the campaign to several threat actors, including the notorious CL0P, and an economically motivated actor called Fin11.
Charles Carmakal, CTO of Mandiant – Google Cloud, Said The Emails Are Being Late From Hundred of Compromised Email Accounts – Including One Known to Belong to Fin11: “We Are Currently Observing A High -Volume Email Campaign Being Launched from Hundreds of Compromized Account and Our Initial Analysis Confirms that at least one of these accounts has been previously associated with activity from fine11, a long-running financially motivated threat Group Known for Deploying Ransomware and Engaging in extortion, “Carmakal said.
At the same time, E emails held contact addresses previously listed on CL0P’s data leakage site, so it is possible that both groups are involved in the campaign or simply sharing resources. However, the evidence is not compelling enough to confirm the links.
Oracle’s compromise indicators (IOC), published with the advisory, also suggest the involvement of scattered lapsus $ hunters.
Via Hacker the news
Follow Techradar on Google News and Add us as a preferred source To get our expert news, reviews and meaning in your feeds. Be sure to click the Follow button!
And of course you can too Follow Techradar at Tiktok For news, reviews, unboxings in video form and get regular updates from us at WhatsApp also.
