In October 2025, Oracle released patches for two zero-day vulnerabilities in Oracle E-Business Suite that had already been exploited in the wild. The campaign, attributed to the Cl0p threat actor, involved remote access to unpatched systems and data theft from exposed servers.
In this edition, we examine the vulnerabilities and outline both immediate and long-term actions organizations can take to protect Oracle E-Business Suite. The focus is on applying sound network security and architectural principles to reduce external exposure and strengthen the overall security of enterprise environments.
What is a Zero-Day Vulnerability
A zero-day vulnerability is a software flaw that is exploited before a vendor issues a patch. Because no fix exists at the time of exploitation, attackers can gain initial access and execute code before reliable detection methods or mitigation guidance are available. The impact depends on the nature of the vulnerability. Some may lead to service disruption or data exposure, while others could allow full remote code execution and system compromise.
What Is Oracle E-Business Suite
Oracle E-Business Suite (EBS) is an enterprise resource planning (ERP) platform that integrates a wide range of business applications into a single environment. It is used by large and mid-sized organizations to manage core business processes such as:
Financial management and accounting
Procurement and inventory management
Supply chain and logistics
Human resources and payroll
Customer relationship and order management
EBS is deployed primarily on-premises or within customer-managed cloud infrastructure, meaning organizations are responsible for system administration, patching, and access control. Oracle does not manage or host EBS as a SaaS product.
Because EBS integrates financial, HR, and operational data, it often contains sensitive information, such as:
Financial records (e.g., general ledgers, invoices, and payment data)
HR data (e.g., employee names, salaries, and tax information)
Customer and supplier details (e.g., contracts and account credentials)
Operational data supporting logistics, reporting, and production
For most organizations, EBS is a business-critical system. A compromise can disrupt payroll, accounting, and procurement functions, and its integration with banking and third-party systems makes it a high-value target.
Oracle E-Business Suite Vulnerability (CVE-2025–61882, CVE-2025–61884)
In October 2025, Oracle confirmed active exploitation of two vulnerabilities affecting Oracle EBusiness Suite (EBS):
Both vulnerabilities can be exploited remotely without authentication. CVE-2025–61882 allows attackers to run commands directly on the EBS server, enabling full system compromise. CVE2025–61884 provides unauthenticated access to internal application resources that can be leveraged to gather data or support further exploitation.
Attackers are actively exploiting these vulnerabilities by sending crafted requests to internet-facing EBS servers. The attack requires no user action. Once successful, the attackers can control the application server, extract data, and deploy tools to maintain persistent access.
VenariX tracks threat actor campaigns. Users can view all reported victims and activity related to the Oracle E-Business Suite exploitation by selecting the “Oracle E-Business Suite” major incident filter in the VenariX platform. This view provides visibility into reported victims and shows how the campaign is affecting different sectors and regions.
Threat Actor Behind the Campaign
Cl0p is a cybercriminal group known for large-scale data theft and extortion and is suspected to be behind the recent Oracle E-Business Suite compromises. The group exploits vulnerabilities in widely used enterprise platforms to gain unauthorized access and exfiltrate sensitive information. Once data is stolen, the group demands payment to prevent public exposure.
Over the past five years, Cl0p has been linked to several zero-day campaigns targeting enterprise platforms, including:
Accellion FTA (2020–2021)
GoAnywhere MFT (2023)
MOVEit FTA (2023)
Cleo (2024)
Oracle E-Business Suite (2025)

As of this writing, Cl0p has listed 15 organizations on its leak site, claiming they were compromised through the Oracle E-Business Suite zero-day vulnerabilities. In several cases, the group has already published the stolen data, indicating that negotiations with some victims have failed or that the extortion period has expired.
Several of the affected organizations were also targeted in prior Cl0p campaigns, suggesting repeat attacks against previously compromised entities.
Recommendations
Organizations running Oracle E-Business Suite should immediately apply Oracle’s patches for CVE-2025–61882 and CVE-2025–61884 in all environments, not just production. Both vulnerabilities are being actively exploited, and delaying updates leaves systems exposed to compromise.
While patching addresses the immediate threat, following network security best practices is essential to reduce exposure and strengthen resilience against future attacks. The following core architectural controls focus on limiting the attack surface and improving the overall security of business applications built on traditional multi-tier architectures, including Oracle E-Business Suite deployments.
Limit Internet Exposure and Enforce Network Segmentation
Oracle E-Business Suite should be deployed so that only components requiring external access are reachable from the internet. Application and database servers should remain in private network segments without public IP addresses. External access, such as for suppliers or business partners, should terminate at a public load balancer or reverse proxy located in a demilitarized zone (DMZ). In some architectures, an externally facing identity and access management (IAM) system may handle authentication and forward authorized traffic to internal applications.
The environment should be segmented by system function and criticality. Each tier (e.g., bastion, load balancer or reverse proxy, application, and database) should reside in its own subnet or network segment with firewall rules that limit communication to only what is necessary.
Deploy a Web Application Firewall (WAF)
A Web Application Firewall (WAF) should be deployed in front of any Oracle E-Business Suite environment that allows internet-facing access, whether hosted on-premises or in the cloud. A WAF inspects inbound traffic, blocks common attacks such as SQL injection and cross-site scripting (XSS), and provides visibility into exploit attempts against exposed application modules.
The WAF should be the entry point for all external web traffic, filtering and forwarding only approved requests to the public load balancer or reverse proxy. This ensures that no direct internet traffic reaches Oracle E-Business Suite components and that all inbound communication is inspected before reaching the application.
Control Administrative Access
Administrative access to Oracle E-Business Suite components should occur through a secure internal network or VPN, never through public interfaces. If a bastion host (e.g., jump server) is used, it should be placed in a restricted management network and reachable only from trusted administrative systems.
Restrict outbound network traffic
Where external connectivity is required, outbound traffic should be routed through controlled network paths such as web proxies or firewalls with specific allow rules. This provides visibility into outgoing connections, limits communication to approved destinations, and prevents attackers from using the server for data exfiltration or remote command-and-control. Allowing direct internet access from application servers removes these safeguards and increases the risk of undetected data loss or continued attacker presence.