Urgent: Oracle EBS Customers at Risk - Act Now to Patch Critical RCE Vulnerability
Oracle E-Business Suite (EBS) customers are urged to act swiftly following warnings from the UK's National Cyber Security Centre (NCSC) and Google's Mandiant group. A critical vulnerability (CVE-2025-61882) in versions 12.2.3 to 12.2.14 allows unauthenticated remote code execution, leading to full system compromise with no user interaction required. The exploit used by the Clop gang has been leaked, increasing the risk of further attacks.
Affected customers should immediately install the emergency security update published by Oracle to patch the vulnerability. The NCSC advises performing a compromise assessment using IoCs published in Oracle's advisory and contacting Oracle's PSIRT and the NCSC if compromise is suspected. To minimize risk, reduce the number of Oracle EBS instances directly accessible from the public internet, and follow Oracle's deployment guidelines when exposure is necessary. Oracle EBS customers should also conduct threat hunting to detect any potential malicious activity since August 2025. Specific companies attacked by Clop ransomware through this vulnerability before the July 2025 update are not explicitly named, but instances were exploited starting in August 2025.
The leak of the Clop gang's exploit by the Scattered Lapsus$ Hunters threat group has heightened the urgency for Oracle EBS customers to apply the security update. Failure to do so leaves systems vulnerable to full compromise with no user interaction required. The NCSC's guidance on compromise assessment and threat hunting should be followed to ensure the security of affected systems.
