Oracle has confirmed that the threat actor group Cl0p is actively exploiting a zero-day vulnerability in the Oracle E-Business Suite product, versions 12.2.3-12.2.14. On October 4, 2025, Oracle advised its customers in a security advisory that the supplied patch should be applied “as soon as possible.” According to Oracle, “this vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.”

The vulnerability, CVE02025-61882, was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerabilities catalog earlier this week and CISA issued an urgent alert regarding the vulnerability advising that threat actors are exploiting the vulnerability in the wild to launch ransomware attacks against organizations worldwide. 

The Federal Bureau of Investigation (FBI) has commented that the zero-day is “an emergency putting Oracle E-Business Suite environments at risk of full compromise.”

The zero-day is an additional vulnerability that Cl0p exploited “to steal large amounts of data from several victims in August.” According to CrowdStrike researchers, the exploitation of the zero-day occurred on August 9, 2025. Cl0p has used the zero-day to initiate a data theft and extortion campaign, including sending extortion emails to Oracle customers. The zero-day has a CVSS rating of 9.8, which means that it is critical and should be patched immediately.