Oracle’s E-Business Suite has come under attack due to two serious security flaws, CVE-2025-61882 (exploited in live attacks, lets hackers execute code remotely) and CVE-2025-61884 (allows them to access sensitive configuration data without logging in). Both have been tied to campaigns run by the CL0P ransomware group, which has a history of extortion targeting enterprise systems.
The affected EBS versions range from 12.2.3 to 12.2.14. Companies that use the suite for finance, supply chain, or customer management, especially those with servers exposed to the internet, are most at risk. The attacks rely on a series of Java payloads, including GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE, which run entirely in memory. Hackers combine techniques like SSRF, CRLF injection, authentication bypass, and XSL template manipulation to infiltrate systems. Malicious templates sit in database tables XDO_TEMPLATES_B and XDO_LOBS, while connections to outside servers let attackers pull additional payloads and steal data.
The consequences are serious. Critical business configurations, pricing information, and customer records could be leaked, leading to regulatory headaches or competitive setbacks. Some executives have already received ransom demands linked to stolen EBS data.
Oracle moved quickly, releasing a patch for CVE-2025-61882 on October 4 and guidance for CVE-2025-61884 on October 11. Experts advise companies to install updates immediately, check databases for suspicious templates, limit outbound connections, monitor requests to /OA_HTML/configurator/UiServlet and /OA_HTML/SyncServlet, and run memory checks on Java processes for signs of intrusion.
These attacks show a worrying trend: zero-day flaws combined with ransomware extortion. Staying on top of patches, monitoring systems closely, and hunting for hidden threats is no longer optional—it’s essential for keeping sensitive enterprise data safe.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
