Oracle rushes out E-Business Suite patch to deal with Clop ransomware security flaw

Running Oracle E-Business Suite? Patch it quick

Oracle has rushed out an emergency patch for its E-Business Suite to deal with a zero-day threat already being exploited in the wild by the Clop cyberthreat group – despite suggesting last week that the security flaws the group had exploited had been patched in July.

The threat, labelled CVE-2025-61882, is assessed at 9.8 on the Common Vulnerability Scoring System (CVSS), ranking it as of critical severity. That means that the flaw is of “maximum severity and the code is actively dangerous”. A score of ten would indicate that a security flaw is exploitable remotely and practically impossible to mitigate.

In its alert, Oracle warned: “This vulnerability is remotely exploitable without authentication... it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.”

However, cyber-safety conscious companies should note that the October 2023 Critical Patch Update is a prerequisite before this security patch can be applied.

The rushed-out update indicates that Oracle’s statement last week that the reported wave of ransomware attacks targeting E-Business Suite installations were due to older, unpatched flaws was not entirely accurate.

The company had urged users to apply the July 2025 Critical Update as a matter of urgency, indicating that would deal with the threat.

At the beginning of last week, affected organisations started to receive ransom demands from the Clop threat group, a cybercrime group with strong links to the FIN11 threat actor, according to Austin Larsen, principal threat analyst at Google Threat Intelligence.

Yesterday, Charles Carmakal, chief technology officer of Google Mandiant, described it as multiple zero-day vulnerabilities. He added that while the security breaches were only highlighted when the ransomware group started emailing at the end of September, the data had been surreptitiously stolen from several victims during August.

The compromise was partly down to the exploitation of vulnerabilities patched in July, but also down to the security flaws that Oracle has only now belatedly patched.

“Clop has been sending extortion emails to several victims since last Monday. However, please note they may not have attempted to reach out to all victims yet. Multiple vulnerabilities were exploited, including vulnerabilities that were patched in Oracle's July 2025 update as well.

“Given the broad mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organisations should examine whether they were already compromised,” Carmakal warned in a LinkedIn post.