Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Cl0p ransomware group and SCATTERED LAPSUS$ hackers tussle over leaked exploit, as security agencies warn of active exploitation of CVE-2025-61882.
Global IT firm Oracle released an advisory and patch regarding a critical vulnerability in its Oracle E-Business Suite on October 4, and it appears that hackers are already well aware of the issue, with the Cl0p cyber extortion operation engaging in active exploitation of various vulnerabilities for months beforehand.
“Cl0p has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims, and has been sending extortion emails to some of those victims since last Monday,” Jake Knott, Principal Security Researcher at watchTowr, told Cyber Daily.
“Over the weekend, Oracle released a patch for a critical E-Business Suite vulnerability (CVE-2025-61882). By Monday morning, exploit code for that same flaw was already public. The attack chains together multiple vulnerabilities – including several patched in July and the one just released on October 4.”
According to Knott, the exploit code looked particularly complex and difficult to reproduce manually. However, that has since changed dramatically.
“But now, with working exploit code leaked, that barrier to entry is gone. It's likely that almost no one patched over the weekend. So we’re waking up to a critical vulnerability with public exploit code and unpatched systems everywhere,” Knott said.
“Based on the evidence, we believe this is Cl0p activity, and we fully expect to see mass, indiscriminate exploitation from multiple groups within days. If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls – fast.”
According to Oracle’s advisory, CVE-2025-61882 is remotely exploitable without authentication, meaning that it can be taken advantage of without a password or username. The vulnerability is within the Oracle Concurrent Processing product of the E-Business Suite, and is present in versions 12.2.3-12.2.14. A successful attack could lead to a complete takeover of Oracle Concurrent Processing.
CVE-2025-61882 has a CVSS score of 9.8, which is Critical; however, a patch is currently available. Both the UK’s National Cyber Security Centre and Singapore’s Cyber Security Agency have issued emergency alerts regarding the vulnerability and warning organisations to patch immediately.
While Cl0p appears to be the main culprit and has been engaging in a widespread extortion campaign targeting users of the Oracle E-Business Suite platform, ShinyHunters and its various linked hacking collectives are also involved in the hacking campaign.
“In early October 2025 “SCATTERED LAPSUS$”, Shiny Hunters, or other naming variants used by the threat actor collective, publicly released a small exploit bundle and extortion campaign to a wide-running compromise of Oracle E-Business Suite customers,” Rapid7 said in an October 7 blog post.
The .zip archive contains three files, including a readme with instructions on how to set up and run the contained scripts, one of which contains a reference to Cl0p’s extortion campaign.
The string “SCATTERED LAPSUS$ [RETARD-CL0P] HUNTERS” opens one file, with a threat following:
“CL0P you are now REPORTED to the RFJ with your FULL Dox we have ur LOCATION U WILL BE DRONE STRIKED.”
Rapid7 believes this suggests a feud between the two groups. ‘RFJ’ could refer to the United States Department of State’s Rewards for Justice program, which offers rewards for information “that protects American lives and furthers U.S. national security objectives,” including information regarding “malicious cyber activity”.
More important, however, is the need to act quickly to contain the threat.
“Given that exploitation in-the-wild may have occurred since August 2025, customers of affected Oracle E-Business Suite instances that are accessible via the internet should conduct suitable threat hunting to detect any potential malicious activity,” Rapid7 said.
You can read Oracle’s full advisory here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
