Oracle issues urgent patch as Cl0p exploits suite flaw for attacks

An emergency patch has been released by Oracle to fix a critical zero-day vulnerability in its E-Business Suite after evidence surfaced of active exploitation by the Cl0p ransomware group.

The vulnerability, identified as CVE-2025-61882, affects Oracle E-Business Suite versions 12.2.3 through to 12.2.14. Security experts have assigned it a CVSS rating of 9.8, indicating a high level of risk, as it permits remote code execution without the need for authentication. With exploit code now published online, Oracle has urged all affected organisations to apply the patch immediately, warning that mass exploitation by multiple threat actors is highly likely in the coming days.

Cl0p's involvement

The Cl0p ransomware group has reportedly been exploiting the flaw since August 2025. Security commentary has sought to place Cl0p within a broader context of criminal activity targeting major software platforms.

Adrian Culley, Senior Sales Engineer at SafeBreach, commented, "The Cl0p extortion gang is combined under 'The Com,' which is a loose collective of hackers that includes individuals from Lapsus$ and Scattered Spider. The Com-short for 'The Community'-is a fluid, international collective of mostly young, English-speaking individuals."

"Crucially, they're not motivated by politics or ideology-their drivers appear to be purely money and ego. They thrive on notoriety, loudly bragging about their exploits on platforms like Telegram, which pushes members toward more brazen, high-profile attacks. While they are clearly very skilled, their precociousness leaves them highly vulnerable to nation state infiltration and manipulation."

Security researchers have traced the origins of this group back to earlier hacking collectives such as Lapsus$ and Scattered Spider, both known for high-profile attacks on prominent organisations.

Culley continued, "The group's roots begin with LAPSUS$ in 2021 and 2022, when they demonstrated just how devastating social engineering could be against giants like Microsoft, Nvidia, and Okta. But their work was somewhat erratic, and they often focused on chaos and notoriety. Scattered Spider took that playbook and professionalised it, moving from chaotic data theft to financially devastating ransomware campaigns. They have been able to master the initial access problem with their native English skills and mastery of social engineering."

Social engineering tactics

The collective now known as The Com is reported to rely heavily on advanced social engineering strategies, including voice phishing, to bypass security controls such as multi-factor authentication (MFA). Their tactics involve highly temporary indicators of compromise, with phishing domains often active for less than a week, making detection and prevention more challenging for organisations with reactive defences.

Culley commented, "The Com, which has evolved out of these two groups, relies heavily on voice phishing as their most effective TTP to get past multi-factor authentication. The group uses highly ephemeral IOCs. The phishing domains they use are often active for less than seven days. This means that organisations relying on a purely reactive security posture-for example, blocklisting known IPs or domains-are often behind the curve."

Recommended responses

With the Oracle vulnerability ranked as critical, with a severity score of 9.8, cybersecurity professionals have emphasised the immediate need for patching. They also highlight the necessity of moving beyond solely technical solutions, to evaluate and improve organisational procedures and staff awareness in the face of sophisticated social engineering threats.

Culley said, "The latest threat that has come to light with the Oracle e-business suite is a critical, 9.8-rated CVE. Organisations should patch immediately and then begin to shift from testing code to testing policy and procedure. BAS and AEV tools can help organisations focus on validating the Human Firewall."

Breach and attack simulation (BAS) and automated ethical validation (AEV) tools are cited as important for enabling organisations to evaluate both technical and procedural weaknesses. These tools can be used to test whether staff inadvertently disclose personal information that could be used to create convincing attack personas, or to assess how long it takes for a multi-factor authentication bombing attempt to be detected and blocked by users.

"BAS can simulate the reconnaissance phase, testing whether employees overshare PII online that an attacker could use to build a convincing persona. It can also continuously push bomb an organisation's MFA solution to measure the Mean Time to Detect and block the attack before a frustrated user approves the request," Culley said.

He continued, "An AEV platform can help confirm that an organisation's help desk is uncompromisable. Are they enforcing policies like a vocal password or two-employee approval for privileged account resets, even when the supposed caller provides all the PII they should know? Finally, AEV must continuously test an organisation's IAM posture, ensuring they can detect and immediately flag actions like a compromised admin creating malicious cloud instances or forging SAML tokens for persistence."