- Oracle has corrected a zero-day Critical Critical defect in the e-business suite, actively exploited by ransomware actors
- The attackers used compromised messaging accounts to extort the victims; End11 and CL0P can be involved
- CVE-2025-61882 marked 9.8/10; The exploitation does not require any authentication and allows complete control of the system
Oracle has published a fix to approach zero-day vulnerability in its e-business suite which was actively exploited by ransomware actors.
In early October 2025, cybercriminals began to send sending managers to various American organizations, saying that they have stolen files sensitive to their Oracle E-Business suite systems. At the time, Oracle and the wider cybersecurity community were not certain if violations actually occur, or if it was only a bluff to bring the victims to pay a ransom request.
Now, it seems that the statements have been legitimate because Oracle has published an emergency fix to correct a critical non-authenticated code defect (RCE) in the versions of the e-Business suite 12.2.3-12.2.14.
Secure payment data
The bug is followed as CVE-2025-61882 and received a 9.8 / 10 (critical) gravity score. An non-authenticated striker with access to the HTTP network could use it to compromise and fully take the Oracle component of simultaneous treatment of the e-business suite.
“This vulnerability is usable remotely without authentication, that is to say that it can be used on a network without the need for a username and a password,” said Oracle in the advice. “If it is successfully exploited, this vulnerability can lead to the execution of remote code.”
Previous reports have linked the campaign to several threat actors, including the infamous CL0P, and a financially motivated actor called end11.
Charles Carmakal, CTO of Mandiant – Google Cloud, said that emails are sent from hundreds of compromised messaging accounts – including a known to belong to the end11: “We are currently observing a high -volume email campaign launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts was known for the end of the end11. said Carmakal.
At the same time, emails held contact addresses which were previously listed on the CL0P data leak site, it is therefore possible that the two groups are involved in the campaign or simply share resources. The evidence is not, however, convincing enough to confirm the links.
Oracle compromise indicators (CIO), published with the opinion, also suggest the involvement of dispersed lapsus hunters.
Via The Hacker News
Follow Techradar on Google News And Add us as a favorite source To get our news, criticisms and expert opinions in your flows. Be sure to click on the follow!
And of course, you can also Follow Techradar on Tiktok For news, criticism, unpacking in video form and obtain regular updates to us on Whatsapp Also.
