- Oracle poured a critical zero day failure in the electronic business suite, actively exploited by ransomware actors
- The attackers used committed email accounts to extort the victims; End11 and CL0P can be involved
- CVE-2025-61882 scored 9.8/10; Exploitation does not require authentication and allows the complete acquisition of the system
Oracle has published a patch to address zero day vulnerability in its business suite, which was actively exploited by Ransomware actors.
At the beginning of October 2025, cybercriminals began sending executives of several US organizations, claiming to have stolen sensitive files from their Oracle E-Business Suite systems. At that time, both Oracle and the broader cyber security community were not sure whether the infractions really happened, or if this was just a lantern for the victims to pay a rescue demand.
Now, it seems that the statements were legitimate since Oracle issued an emergency patch to solve a critical defect of non-authenticated remote code execution (RCE) in the e-business suite versions 12.2.3-12.2.14.
Safe payment data
The error is tracked as CVE-2025-61882, and was given a gravity score of 9.8/10 (critic). An attacker not authenticated with access to the HTTP network could use it to compromise it, and completely assume the Concurrent Processing component of E-Business Suite.
“This vulnerability is remotely exploitable without authentication, that is, it can be exploited through a network without the need for a username and password,” Oracle said in the notice. “If it is successfully exploited, this vulnerability can lead to the execution of remote code.”
The previous reports linked the campaign with multiple threat actors, including the infamous CL0P, and a financial motivation actor called End11.
Charles Carmakal, CTO of Mandiant-Gogle Cloud, said that emails are being sent from hundreds of compromised email accounts, including one that is known to belong to end11: “We are currently observing a high-volume email campaign that is being launched from hundreds of committed accounts and our initial analysis confirms that at least one of these accounts has been previously associated with the end of the end11 Threats to the group of threats, the threats that are known by the threat of the threat known by the group of threats and that of the threats that are displayed by the group of long -term threats of the threat and threats that the accounts and threats that emerge from the accounts are displayed.
At the same time, emails contained contact addresses that were previously listed on the CL0P data leakage site, so it is possible that both groups are involved in the campaign or simply share resources. However, evidence is not convincing enough to confirm the links.
Oracle’s compromise indicators (COI), published with the notice, also suggest the participation of dispersed Lapsus $ hunters.
Through The hacker news
Keep PakGazette on Google News and Add us as a preferred source To get our news, reviews and opinion of experts in their feeds. Be sure to click on the Force button!
And of course you can also Keep PakGazette in Tiktok For news, reviews, video deciphes and get regular updates from us in WhatsApp also.
You may also like
