Threat Signal Report

Oracle E-Business Suite RCE Vulnerability

What is the Vulnerability?	CVE-2025-61882 is a critical (CVSS 9.8) unauthenticated remote code execution vulnerability in the BI Publisher integration of Oracle E-Business Suite’s Concurrent Processing component. The flaw is remotely exploitable over HTTP without authentication, allowing attackers to execute arbitrary code and fully compromise affected systems. This vulnerability has been actively exploited as a zero-day in data theft and extortion campaigns, with activity linked to the Cl0p ransomware group. Successful exploitation enables complete takeover of Oracle Concurrent Processing, opening the door to lateral movement, sensitive data exfiltration, and potential ransomware deployment. Oracle has released an out-of-band security patch and IoCs to address the issue. Immediate patching or compensating controls are strongly recommended for all vulnerable EBS deployments.
What is the recommended Mitigation?	Apply Oracle’s emergency patch immediately for CVE-2025-61882. Oracle Security Alerts CVE-2025-61882 Block known malicious IPs / connections identified in Oracle’s IoC list and vendor threat feeds. Hunt for compromise by scanning EBS servers for signs of web shells, unexpected cron jobs, suspicious processes, or new users.
What FortiGuard Coverage is available?	Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-61882. Intrusion Prevention \| FortiGuard Labs Indicators of Compromise (IOC) and Web Filtering Service: Implemented protections against malicious traffic and C2 infrastructure, and known Indicators of Compromise (IoCs) related to this campaign, and is currently investigating for further protections. FortiGuard Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats. FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Outbreak Alert

Actively exploited as a zero-day in data theft and extortion campaigns, with activity linked to the Cl0p ransomware group. Successful exploitation enables complete takeover of Oracle Concurrent Processing, opening the door to lateral movement, sensitive data exfiltration, and potential ransomware deployment.

View the full Outbreak Alert Report

This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.

View the full Outbreak Alert Report