Oracle Issues Emergency Patch for Clop-Linked Breaches of its E-Business Suite

Oracle has announced an emergency patch for its E-Business Suite (EBS) after identifying a critical flaw in the Runtime UI component, tracked as CVE-2025-61884.

Carly Page of The Register reports that the vulnerability carries a CVSS score of 7.5 and can be exploited remotely without authentication. It can potentially grant unauthorized access to sensitive enterprise resources.

The release follows ongoing Clop-related attacks that have already impacted universities and major organizations, and sparked concerns about EBS’s exposure to chained exploits and persistent threats.

The newly disclosed flaw is part of a broader context of vulnerabilities affecting Oracle’s EBS. A week earlier, Oracle issued a zero-day patch for another critical bug that allowed remote code execution without login credentials, reportedly exploited as part of the ongoing Clop hacking campaign.

Researchers indicate that attackers may have been probing EBS systems as early as July, using multiple vulnerabilities in sequence to access enterprise networks.

Oracle has not confirmed whether the latest Runtime UI flaw has been leveraged in active attacks or directly linked to prior Clop incidents.

Harvard University has disclosed a cybersecurity investigation related to the EBS breaches, which affected a limited administrative unit, with patches now applied to mitigate the risk.

Oracle strongly advises customers to apply the emergency patch immediately, as it addresses the potential for exploitation of sensitive data and business-critical processes. While the exact scope and impact of the vulnerability are unclear, the pattern of repeated EBS flaws illustrates the ongoing challenges in securing complex enterprise applications, particularly against persistent threat actors who may exploit vulnerabilities to maximize impact.

Legal teams should double-check their enterprise’s rapid patch management and inquire about thorough, well-documented vulnerability assessments and coordinated incident response.

Enterprises relying on E-Business Suite should verify that prior updates have been applied comprehensively and remain vigilant for emerging security alerts. Systems that aren’t patched or only partially mitigated face elevated risk and are vulnerable to lawsuits.