Particle.news
Download on the App Store
7 ARTICLES
·
9h ago

Google, Mandiant Warn Oracle E‑Business Suite Zero‑Day Drove Mass Data Theft, 100+ Likely Victims

An Oct. 4 emergency fix follows U.S. warnings that attackers are exploiting exposed E‑Business Suite systems.

Larry Ellison, co-founder and executive chairman of Oracle Corp., speaks during the Oracle OpenWorld 2018 conference in San Francisco, California, U.S., on Monday, Oct. 22, 2018. Ellison announced a series of updates injecting more automation and intelligence into Oracle's cloud applications. Photographer: David Paul Morris/Bloomberg
Image
Image
Larry Ellison, the chief technology officer of Oracle

Overview

  • Researchers say CVE-2025-61882 enabled unauthenticated remote code execution against Oracle E‑Business Suite, with exploitation observed as early as August 9 and suspicious targeting dating to July 10.
  • Victims began receiving extortion emails on September 29 after large volumes of data were stolen, with demands reported in the seven- to eight-figure range, including sums up to $50 million.
  • Attackers chained at least five flaws to achieve pre-auth compromise and used multi-stage, fileless tooling such as GOLDVEIN.JAVA, SAFEGIFT, SAGELEAF and SAGEWAVE to evade detection and maintain access.
  • Oracle released an emergency patch on October 4 as CISA added the flaw to its Known Exploited Vulnerabilities catalog and the FBI labeled the issue an emergency.
  • Investigators link the campaign to Clop’s extortion infrastructure yet stop short of a definitive attribution, and Shadowserver found 576 potentially vulnerable EBS instances on October 6.