Oracle has addressed a zero-day flaw in one of its leading enterprise software solutions, which a cybercriminal group has been exploiting to obtain confidential details about business executives.
In a short update posted over the weekend, Oracle’s chief security officer Rob Duhart announced that the company had issued a fresh security patch for its Oracle E-Business Suite and strongly recommended that users apply the update without delay.
According to the security notice, the vulnerability—cataloged as CVE-2025-61882—can be “abused remotely without requiring authentication.” The advisory included several indicators of compromise to assist Oracle clients in detecting signs of unauthorized access, indicating that attackers are actively leveraging the flaw to extract sensitive information.
Oracle reports that its E-Business Suite is used by thousands of companies worldwide to manage operations, including storing customer records and employee HR data.
This vulnerability is classified as a zero-day because Oracle had no opportunity to address it before it was exploited by malicious actors.
Duhart’s revised statement marks a shift from earlier in the week, when a previous version noted Oracle was aware that some executives “have received extortion emails” related to vulnerabilities fixed in July, implying the extortion activity had ended. The discovery of this new zero-day flaw indicates that attackers continued to take advantage of previously unknown weaknesses in Oracle’s E-Business software.
Reports about the extortion scheme targeting business leaders surfaced last week.
On October 2, Google’s security team revealed that the well-known hacking group Clop—associated with various ransomware and extortion incidents—had sent emails to Oracle executives around September 29, threatening to release their personal data online unless paid.
Charles Carmakal, chief technology officer at Google’s incident response division Mandiant, wrote on LinkedIn Sunday that Oracle’s E-Business Suite vulnerabilities were being exploited in a “large-scale campaign” aimed at data theft and extortion.
Carmakal noted that much of this malicious activity took place in August, following the release of the July security patches.
“Clop has been issuing extortion demands to multiple victims since last Monday,” Carmakal stated, but added that not every victim has been contacted by the hackers yet.
