Oracle E-Business Suite Zero-Day Exploited in Targeted Attacks by Cl0p Ransomware Group
The latest cybersecurity threat landscape has been shaken by the revelation of a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), actively exploited in real-world attacks attributed to the Cl0p ransomware group. The vulnerability, rated with a critical CVSS score of 9.8, allows remote attackers to achieve unauthenticated code execution, placing enterprise data and business operations at severe risk. Urgent patches have been released, and authorities have set a high-priority remediation deadline to mitigate exposure.
Technical Details and Attack Vector
CVE-2025-61882 exists within a legacy web interface module of Oracle EBS and stems from inadequate input validation in a core API endpoint. This flaw enables attackers to deliver malicious payloads over HTTP(S), bypassing authentication and leveraging arbitrary file write capabilities. Exploitation can lead to shell access, data exfiltration, lateral movement, and ransomware deployment across connected environments.
Observed Exploitation and Attribution
Security researchers have linked a recent wave of targeted intrusions to the Cl0p ransomware group, who have demonstrated a history of exploiting enterprise vulnerabilities at scale. CrowdStrike analysts attribute these attacks to Cl0p with moderate confidence, based on malware signatures, infrastructure overlap, and operational tactics. CISA has added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog, underscoring the severity and urgency of the threat.
Patching Guidance and Risk Mitigation
Oracle has issued a security update addressing the root cause of CVE-2025-61882. Organizations are urged to prioritize patching before the mandated deadline of October 27, 2025, as delayed remediation increases the risk of ransomware attacks disrupting critical business operations. In addition to patching, network segmentation, application whitelisting, and aggressive monitoring for anomalous behavior associated with the vulnerable endpoint are strongly recommended.
Industry Impact and Recommendations
Oracle EBS is widely deployed across sectors including government, finance, manufacturing, and retail, amplifying the potential reach of this exploit. Security teams should assess the exposure of public-facing EBS instances, review historical traffic for signs of compromise, and reinforce incident response procedures. Given the sophistication of Cl0p and their history of double extortion, organizations should prepare for potential data leaks in parallel with business disruption scenarios.
Zimbra Zero-Day Exploited in Military Espionage Campaigns
A critical zero-day vulnerability in Zimbra Collaboration Suite is being actively exploited in targeted attacks against the Brazilian military, with threat actors delivering malicious ICS (Internet Calendar Scheduling) files as the initial infection vector. The campaign demonstrates advanced spear-phishing tactics and highlights the growing use of unconventional file formats for targeted cyber-espionage operations.
Technical Profile of the Vulnerability
The Zimbra vulnerability impacts the email server’s parser for ICS files, failing to sanitize certain control fields. This flaw enables remote attackers to execute arbitrary commands on the underlying server when a maliciously crafted calendar invite is processed. The attack can be triggered by simply receiving or previewing the calendar file, requiring no user interaction beyond delivery to a vulnerable account.
Attack Flow and Impact
Analysis of the Brazilian campaign revealed that attackers crafted spear-phishing emails carrying ICS attachments with embedded payloads. Once opened by targeted military personnel, the malicious code established a foothold on internal networks, facilitating lateral movement and data collection. The campaign’s success underscores the need for hardening email infrastructure against both conventional and unconventional file-based exploits.
Recommendations and Response
Zimbra has issued urgent mitigation guidance, and administrators are advised to restrict ICS file handling, monitor for unusual calendar-related activity, and deploy intrusion detection rules focusing on known indicators of compromise. Organizations in defense and government, as primary targets, should initiate rapid threat hunting and forensic review of recent calendar events.
Industrial Cellular Routers Used for SMS Phishing Campaigns Across Europe
New threat intelligence reports identify widespread abuse of exposed APIs in Milesight industrial cellular routers, with attackers leveraging these devices to orchestrate mass SMS phishing (smishing) campaigns targeting European countries. These attacks highlight the expanding threat surface associated with insecure Internet-connected industrial hardware.
Nature of the Vulnerability
The vulnerabilities stem from insufficient authentication on the router’s management and messaging APIs. Attackers scan for exposed routers and send malicious SMS messages from compromised devices, using them as proxy relays to evade geofencing and other carrier-level filtering controls. The malicious SMS payloads have been tied to credential harvesting and banking malware campaigns.
Attack Scale and Tactics
Incident reports indicate that attackers have compromised hundreds of routers, facilitating the delivery of localized phishing messages in multiple languages. The campaign’s infrastructure enables rapid rotation of sender numbers, lowering the likelihood of blocking and increasing the spear-phishing attack success rate.
Mitigation Actions
Administrators are advised to update router firmware, enforce strong authentication for API access, and restrict management ports to internal or VPN-restricted networks. Operators should also monitor device logs for anomalous outbound messaging activity and coordinate with telecom partners to blacklist traffic from identified compromised devices.