HIPAA Journal

📅 2025-08-09 🏢 Oracle E-Business Suite (Oracle Concurrent Processing) 🔎 CVE-2025-61882 · CVE-2025-61884

Incident Details

The Cl0p ransomware group exploited CVE-2025-61882, a critical CVSS 9.8 zero-day unauthenticated remote code execution vulnerability in Oracle E-Business Suite (EBS), beginning as early as August 9, 2025 — weeks before a patch was available. A second zero-day (CVE-2025-61884) was also exploited. Starting September 29, 2025, Cl0p launched a mass extortion campaign emailing victims from hundreds of compromised third-party accounts. Confirmed major victims include: University of Phoenix (~3.5 million individuals, data exfiltrated August 13-22, not detected until November 20); Dartmouth College (at least 1,494 individuals, attack August 9-12, claimed November 11); University of Pennsylvania; Wits University (South Africa); Harvard University. At least 3.6 million records were exposed across confirmed educational victims alone. Oracle released a patch on October 11, 2025. This campaign mirrors the 2023 MOVEit and GoAnywhere zero-day exploitation campaigns by Cl0p.

Technical Details

Initial Attack Vector: CWE-306: Missing Authentication for Critical Function (CVE-2025-61882 Oracle EBS unauthenticated RCE, CVSS 9.8)
Vendor / Product: Oracle E-Business Suite (Oracle Concurrent Processing)
Software Package: Oracle E-Business Suite
CVE / GHSA References: CVE-2025-61882 CVE-2025-61884
Supply Chain Attack: ✅ Confirmed third-party / vendor compromise

Timeline

2025-08-09 Breach occurred
2025-11-11 Publicly disclosed
2025-11-21 Customers notified