FBI, UK gov’t urge orgs to patch Oracle E-Business vuln after alleged Clop campaign

Oracle issued a security alert this weekend urging customers to patch a vulnerability currently being exploited by cybercriminals. 

Oracle’s security alert said CVE-2025-61882 impacts the Oracle E-Business Suite — a widely-used business platform containing several applications that manage finance, human resources and supply chain functions.

Oracle explained that the vulnerability, which carries a severity score of 9.8 out of 10, could be exploited remotely “without the need for a username and password.” 

Customers need to install patches from an October 2023 update before installing the new patch issued on Saturday. Oracle also shared indicators of compromise that organizations can use to support their efforts to detect and contain potential breaches. 

FBI Assistant Director Brett Leatherman said “this is ‘stop-what-you’re-doing and patch immediately’ vulnerability.” 

“The bad guys are likely already exploiting in the wild, and the race is on before others identify and target vulnerable systems,” he said in a Sunday evening post on LinkedIn. 

“In plain terms: if your [E-Business Suite] environment is reachable on the network, and especially if it’s internet facing, it’s at risk for full compromise.”

Leatherman added that Oracle E-Business Suite customers should isolate potentially affected servers and monitor threat intelligence channels because “exploit activity could escalate quickly.”

“Oracle EBS remains a backbone ERP system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast,” he explained. “If you suspect compromise - please connect with us.”

Cybersecurity agencies in the U.K. and Singapore published their own advisories with similar guidance. The U.S. Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog and ordered all federal civilian agencies to patch it by October 28. 

Mandiant chief technology officer Charles Carmakal tied CVE-2025-61882 to a campaign unveiled last week by the cybercriminal group Clop. 

The group is currently attempting to extort corporate executives by threatening to leak sensitive information they claim was stolen through the Oracle E-Business Suite. Oracle confirmed the campaign but initially said the hackers were exploiting bugs that had been addressed in a July update, without specifying which vulnerabilities were being used. 

On Sunday, Carmakal said Clop “exploited multiple vulnerabilities in Oracle [E-Business Suite] which enabled them to steal large amounts of data from several victims in August 2025.”

“Clop has been sending extortion emails to several victims since last Monday. However, please note they may not have attempted to reach out to all victims yet,” he said. 

“Multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle's July 2025 update as well as one that was patched this weekend (CVE-2025-61882).”

He added that organizations should “examine whether they were already compromised.”

Several other cybersecurity experts confirmed that Clop has been exploiting multiple vulnerabilities in Oracle E-Business Suite since August.

Jake Knott, principal security researcher at cybersecurity firm watchTowr, said exploit code for CVE-2025-61882 became public by Monday.