The cybersecurity agency CISA has confirmed that an Oracle E-Business Suite (EBS) vulnerability patched earlier this month has been exploited in the wild.
Dozens of Oracle customers have been targeted in a campaign that involved data theft from their EBS instances. The cybercriminals, presumably a cluster of a threat group named FIN11, stole significant amounts of files and attempted to extort victims.
The attackers exploited EBS vulnerabilities to gain access to data, but Oracle and the cybersecurity community have yet to share definitive information on which flaws have been exploited.
Oracle initially said known flaws patched in July were involved, and later announced that a zero-day tracked as CVE-2025-61882 was also apparently exploited in the campaign.
A few days later, on October 11, the software giant announced fixes for CVE-2025-61884, which can be exploited remotely without authentication and without user interaction to gain access to sensitive data.
However, Oracle’s advisory did not and still does not provide any indication that CVE-2025-61884 has been exploited in attacks. Only the timing of the patch suggested that CVE-2025-61884 too has been leveraged by the attackers.
However, CISA on Monday added CVE-2025-61884 to its Known Exploited Vulnerabilities (KEV) catalog, confirming its exploitation. With the flaw added to CISA’s KEV catalog, federal agencies are required to apply mitigations by November 10.
Bleeping Computer reported last week that CVE-2025-61884 corresponds to a PoC exploit leaked by Scattered Lapsus$ Hunter (a partnership between the Scattered Spider and ShinyHunters groups) shortly after the Oracle EBS hacking campaign came to light. It was initially believed that the PoC corresponds to CVE-2025-61882.
Regardless of which vulnerabilities have been exploited as n-day or zero-day vulnerabilities, it appears that up-to-date Oracle EBS installations should no longer be susceptible to attacks, based on what Bleeping Computer learned from various security firms.
The extortion emails sent to victims have been signed by the Cl0p group, which has gained notoriety over the past years, particularly as a result of similar campaigns targeting Cleo, MOVEit, and Fortra file transfer products through the exploitation of zero-day vulnerabilities.
At the time of writing, four alleged victims of the Oracle EBS hack have been listed on the Cl0p ransomware leak website: Harvard University, American Airlines (subsidiary Envoy Air), South Africa’s University of the Witwatersrand, and industrial giant Emerson.
Emerson is the only one of them that has yet to confirm being impacted and the company has not responded to SecurityWeek’s request for comment.
Related: F5 Hack: Attack Linked to China, BIG-IP Flaws Patched, Governments Issue Alerts
Related: Hackers Steal Sensitive Data From Auction House Sotheby’s
Related: Organizations Warned of Exploited Adobe AEM Forms Vulnerability
