Overview

• Oracle released an out‑of‑band patch for CVE-2025-61882, an unauthenticated remote‑code‑execution flaw in E‑Business Suite’s Concurrent Processing (BI Publisher Integration) affecting versions 12.2.3–12.2.14, with the October 2023 CPU required first.
• CISA added the bug to its Known Exploited Vulnerabilities catalog as the FBI labeled risk to EBS environments an emergency, and the UK NCSC urged immediate patching and compromise hunting.
• Oracle published indicators of compromise, including two source IPs, a reverse‑shell command, and hashes for a leaked exploit archive and Python scripts.
• Mandiant and CrowdStrike tie the campaign to Cl0p, noting data theft in August 2025, first known exploitation on August 9, and extortion emails that began reaching executives in late September.
• WatchTowr and CrowdStrike detail a pre‑auth attack chain using SSRF and CRLF injection to load a malicious XSLT template that enables RCE and in‑memory web shells, with a Telegram‑posted exploit raising the risk of rapid n‑day abuse.