All news with #oracle tag

Envoy Air Confirms Oracle E-Business Suite Data Theft

🔒 Envoy Air confirmed that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its leak site. The carrier said it immediately launched an investigation, contacted law enforcement, and determined that no sensitive or customer data were affected, though limited business information and commercial contact details may have been exposed. The incident is tied to an August campaign by Clop, which exploited an E-Business Suite zero‑day (CVE‑2025‑61882) and is now publishing claimed stolen files.

Oracle Quietly Fixes E-Business Suite SSRF Zero-Day

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.

Oracle Quietly Patches E-Business Suite Zero-Day Exploit

⚠️ Oracle has quietly released an out-of-band update addressing CVE-2025-61884 in Oracle E-Business Suite, a pre-authentication SSRF exploited by a publicly leaked proof-of-concept published by the ShinyHunters extortion group. Oracle's advisory warns the flaw can expose sensitive resources but did not disclose active exploitation or the public exploit release, prompting follow-up from researchers. Independent testers confirm the new update now blocks the SSRF component that previously bypassed earlier patches.

Oracle quietly patches E-Business Suite SSRF zero-day

🔒Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) after researchers confirmed the update blocks a pre-authentication SSRF used by a leaked ShinyHunters proof-of-concept. Oracle issued an out-of-band security update over the weekend and warned the flaw could allow access to sensitive resources. The vendor did not disclose that the issue was actively exploited or that a public exploit had been released, drawing criticism from researchers and customers.

Oracle issues second emergency patch for E-Business Suite

⚠️ Oracle released an emergency security alert on October 11 for CVE-2025-61884, a 7.5 CVSS information-disclosure flaw in the Runtime UI component of E-Business Suite (versions 12.2.3–12.2.14). The vulnerability allows unauthenticated remote attackers with network access to steal sensitive data. The patch arrives one week after an emergency fix for a Cl0p-exploited RCE, and experts urge administrators to apply updates, hunt for prior compromise, and restrict outbound traffic from EBS servers.

Oracle issues emergency patch for E-Business Suite

🔒 Oracle released an emergency update to address CVE-2025-61884, an information disclosure flaw in the E-Business Suite Runtime UI that affects versions 12.2.3 through 12.2.14. The vulnerability is remotely exploitable without authentication and has been assigned a CVSS base score of 7.5, meaning a successful exploit could expose sensitive resources. Oracle strongly urges customers to apply the out-of-band patch or recommended mitigations immediately, particularly for internet-facing instances.

Weekly Recap: WhatsApp Worm, Oracle 0-Day and Ransomware

⚡This weekly recap covers high-impact incidents and emerging trends shaping enterprise risk. Significant exploitation of an Oracle E-Business Suite zero-day (CVE-2025-61882) and linked payloads reportedly affected dozens of organizations, while a GoAnywhere MFT flaw (CVE-2025-10035) enabled multi-stage intrusions by Storm-1175. Other highlights include a WhatsApp worm, npm-based phishing chains, an emerging ransomware cartel, AI abuse, and a prioritized list of critical CVEs.

High-Severity Oracle E-Business Suite Vulnerability Alert

🔒 Oracle issued an alert for CVE-2025-61884, a high-severity (CVSS 7.5) flaw in Oracle E-Business Suite versions 12.2.3 through 12.2.14 that can be exploited remotely over HTTP without authentication. The NIST description warns the defect permits an unauthenticated attacker to compromise Oracle Configurator, potentially exposing or allowing complete access to critical configurable data. Oracle urges administrators to apply the update immediately; it has not reported observed in-the-wild exploitation.

Cl0p-Linked Actors Exploit Oracle E-Business Suite

🔔 Google Threat Intelligence Group and Mandiant report a multi-stage zero-day campaign exploiting Oracle E-Business Suite (tracked as CVE-2025-61882, CVSS 9.8) that has impacted dozens of organizations since August 2025. The attackers combined SSRF, CRLF injection, authentication bypass and XSL template injection to achieve remote code execution and deploy multi-stage Java loaders. Observed payloads include GOLDVEIN.JAVA and a SAGEGIFT/SAGELEAF/SAGEWAVE chain; orchestration and extortion messaging bear the Cl0p signature. Oracle has released patches and investigations by GTIG and Mandiant are ongoing.

ShinyHunters Launch Extortion Site Targeting Corporates

🔓 A cybercrime collective known as ShinyHunters has launched a public extortion blog threatening to publish data stolen from dozens of major companies if ransoms are not paid. The group claims to have harvested Salesforce customer records via a May voice-phishing campaign, and also says it exfiltrated terabytes of files from a Red Hat GitLab server and Discord user data tied to a third-party provider. Security firms and affected vendors including Salesforce, Red Hat and Discord are investigating, while Google and other investigators link the activity to several related UNC clusters and warn of additional token thefts tied to Salesloft. Victim shaming, published exploit scripts for an Oracle E-Business Suite zero-day, and malware-laced threats have amplified the incident’s severity.

Oracle EBS Zero-Day Exploited by Clop Since August

🔒 CrowdStrike reports the Clop ransomware gang has been exploiting an Oracle E-Business Suite zero-day, CVE-2025-61882, since early August to steal sensitive documents. The flaw resides in the BI Publisher Integration of Concurrent Processing and allows unauthenticated remote code execution via a single HTTP request. Oracle issued a patch and warned customers to apply updates immediately as extortion emails tied to stolen EBS data are being circulated.

NCSC Urges Patch for Critical Oracle E-Business Bug

🔔 The UK's National Cyber Security Centre has urged Oracle E-Business Suite customers to apply an emergency update for CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in the BI Publisher Integration component affecting EBS 12.2.3–12.2.14. Security firm Mandiant reports the Clop ransomware group exploited the bug as a zero-day in August, and the exploit has since been leaked, raising the risk of wider attacks. The NCSC and Rapid7 recommend immediate compromise assessments using Oracle's IoCs, contacting Oracle PSIRT and the NCSC if compromise is suspected, installing the latest EBS update (with the October 2023 CPU applied first), and reducing internet exposure of EBS instances.

Oracle EBS Targeted by Cl0p Exploiting CVE-2025-61882

🚨 CrowdStrike attributes the exploitation of Oracle E-Business Suite to Graceful Spider, also known as Cl0p, with the first observed compromise on August 9, 2025. The attacks exploit a critical pre-authentication remote code execution flaw, CVE-2025-61882 (CVSS 9.8), enabling authentication bypass and the upload of malicious XSLT templates via Oracle XML Publisher. Successful exploitation leads to outbound connections from the Java web server and remote web shell deployment for data exfiltration and persistence; CISA has added the flaw to its Known Exploited Vulnerabilities catalog and urged agencies to patch immediately.

Oracle issues emergency patch for EBS zero-day RCE

🔴 Oracle has released an emergency patch addressing a critical zero-day remote code execution flaw, CVE-2025-61882, in the E-Business Suite BI Publisher Integration component. The vulnerability (affecting versions 12.2.3–12.2.14) is rated 9.8 on the CVSS scale and is exploitable remotely without authentication. Cl0p actors are linked to active exploitation and high-value extortion demands; Oracle published IoCs and strongly urges immediate patching and aggressive compromise hunting.

Cl0p Exploits Critical Oracle E-Business Suite Flaw

🔒 Oracle released an emergency patch to address a critical unauthenticated vulnerability in E-Business Suite (CVE-2025-61882) with a CVSS score of 9.8. The flaw allows remote code execution against the Oracle concurrent processing component over HTTP and has been actively exploited by the Cl0p group in large-scale data theft. Security firms report mass email-based distribution from hundreds of compromised accounts and recommend immediate patching and forensic checks for listed IoCs and suspicious GET/POST activity.

CISA Adds Seven CVEs to Known Exploited Vulnerabilities

🔒 CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The newly listed entries include CVE-2010-3765, CVE-2010-3962, CVE-2011-3402, CVE-2013-3918, CVE-2021-22555, CVE-2021-43226, and CVE-2025-61882, impacting Mozilla, Microsoft, the Linux Kernel, and Oracle E-Business Suite. Federal Civilian Executive Branch agencies must remediate these vulnerabilities under BOD 22-01, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.

Mass Exploitation of Oracle E-Business Suite Zero-Day

🔒 CrowdStrike is tracking a mass exploitation campaign abusing a novel zero-day, CVE-2025-61882, against Oracle E-Business Suite (EBS) that enables unauthenticated remote code execution and data exfiltration. First observed on 2025-08-09, activity accelerated after a proof-of-concept surfaced on 2025-10-03 and Oracle released an advisory with IOCs on 2025-10-04. CrowdStrike assesses likely involvement by the actor tracked as GRACEFUL SPIDER (moderate confidence) while acknowledging multiple actors may be exploiting internet-exposed EBS instances; detection and mitigation guidance and Falcon tooling are provided to help defenders.

Oracle issues emergency patch for CVE-2025-61882 exploit

🔒 Oracle has released an emergency update to address CVE-2025-61882, a critical (CVSS 9.8) vulnerability in the E-Business Suite Concurrent Processing component that can be exploited over HTTP without authentication. Oracle warned the flaw may allow remote code execution and issued additional fixes after discovering further potential exploitation vectors. Indicators shared with the advisory point to activity linked to Cl0p and a group associated with Scattered LAPSUS$ Hunters; organizations are urged to apply the patch and hunt for signs of compromise.

Oracle patches critical EBS zero-day used by Clop gang

⚠️ Oracle has released an emergency update addressing CVE-2025-61882, a critical unauthenticated remote code execution flaw in Oracle E-Business Suite (Concurrent Processing / BI Publisher Integration). The vulnerability affects versions 12.2.3–12.2.14 and carries a CVSS base score of 9.8. Customers must first install the October 2023 Critical Patch Update before applying the new fix. Intelligence firms say the Clop extortion gang actively used the bug in August 2025 to steal data.

Oracle Links Clop Extortion to July EBS Vulnerabilities

🔒 Oracle said some customers received extortion emails tied to its E-Business Suite and linked the campaign to vulnerabilities patched in the July 2025 Critical Patch Update. While Oracle did not attribute the activity to a specific ransomware group, its investigation found potential use of previously identified EBS flaws, including three that were remotely exploitable. Security firms reported executives began receiving ransom demands on or before September 29, 2025. Oracle urged customers to apply the latest patches and contact support if they need assistance.