- Oracle patched a vital zero-day RCE flaw in E-Enterprise Suite, actively exploited by ransomware actors
- Attackers used compromised e mail accounts to extort victims; FIN11 and Cl0p could also be concerned
- CVE-2025-61882 scored 9.8/10; exploitation requires no authentication and allows full system takeover
Oracle has launched a patch to deal with a zero-day vulnerability in its E-Enterprise Suite which was being actively exploited by ransomware actors.
In early October 2025, cybercriminals began mailing executives at varied American organizations, claiming to have stolen delicate recordsdata from their Oracle E-Enterprise Suite techniques. On the time, each Oracle and the broader cybersecurity neighborhood weren’t sure if the breaches really occurred, or if this was only a bluff to get the victims to pay a ransom demand.
Now, it appears the claims had been respectable since Oracle issued an emergency patch to repair a vital unauthenticated distant code execution (RCE) flaw in E-Enterprise Suite variations 12.2.3-12.2.14.
Cost knowledge safe
The bug is tracked as CVE-2025-61882, and was given a severity rating of 9.8/10 (vital). An unauthenticated attacker with HTTP community entry may use it to compromise, and absolutely take over, the Oracle Concurrent Processing element of E-Enterprise Suite.
"This vulnerability is remotely exploitable with out authentication, i.e., it could be exploited over a community with out the necessity for a username and password," Oracle stated within the advisory. "If efficiently exploited, this vulnerability might lead to distant code execution."
Earlier reviews linked the marketing campaign to a number of risk actors, together with the notorious Cl0p, and a financially motivated actor known as FIN11.
Charles Carmakal, CTO of Mandiant – Google Cloud, stated the emails are being despatched from lots of of compromised e mail accounts – together with one identified to belong to FIN11: "We’re at the moment observing a high-volume e mail marketing campaign being launched from lots of of compromised accounts and our preliminary evaluation confirms that at the very least one in every of these accounts has been beforehand related to exercise from FIN11, a long-running financially motivated risk group identified for deploying ransomware and fascinating in extortion," Carmakal stated.
Signal as much as the TechRadar Professional publication to get all the highest information, opinion, options and steering your small business must succeed!
On the identical time, the emails held contact addresses that had been beforehand listed on Cl0p’s knowledge leak website, so it’s doable that each teams are concerned within the marketing campaign, or are merely sharing assets. The proof shouldn’t be compelling sufficient to verify the hyperlinks, although.
Oracle’s Indicators of Compromise (IoC), printed with the advisory, additionally recommend the involvement of Scattered Lapsus$ Hunters.
Through The Hacker News
Follow TechRadar on Google News andadd us as a preferred source to get our professional information, critiques, and opinion in your feeds. Be certain that to click on the Observe button!
And naturally you can even follow TechRadar on TikTok for information, critiques, unboxings in video type, and get common updates from us on WhatsApp too.
You may also like
- Hundreds of thousands of customers presumably in danger after Ascension healthcare reveals new knowledge breach, doubtlessly linked to Cl0p ransomware
- Check out our information to the perfect authenticator app
- We've rounded up the perfect password managers