
Weekly Cyber Briefing 06.10.2025
Cyber Intelligence Briefing: 06 October 2025
Oracle’s emergency patch for Clop extortion bug; ‘Time to Exploit’ data shows attackers moving faster than ever; Hackers with ethics…sort of
Weekly Cyber Briefing 06.10.2025
Oracle’s emergency patch for Clop extortion bug; ‘Time to Exploit’ data shows attackers moving faster than ever; Hackers with ethics…sort of
The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris.
CVE-2025-61882 is a critical remote code execution bug (CVSS 9.8) in the Oracle E-Business Suite’s Concurrent Processing / BI Publisher integration. It can be triggered without authentication over HTTP and is being actively exploited. Oracle issued an emergency patch on 4 October 2025, which requires the October 2023 CPU to be applied.
The vulnerability has been linked to the Clop data-theft/extortion group — a public proof-of-concept and exploit archive leaked online, and Oracle’s indicators of compromise match that leak.
Exploitation has been confirmed in the wild. Mandiant reports that the Clop group exploited multiple Oracle E-Business Suite vulnerabilities — including issues addressed in the July 2025 CPU and this zero-day — to steal large volumes of data in August 2025. No specific victims have been publicly named, though several organisations have reported extortion attempts, and investigations are ongoing.
The indicators of compromise are:
Advice for Oracle engineers and security practitioners:
1) Patch & prerequisites (change window ASAP)
2) Exposure reduction (immediately)
3) Hunt & triage
Search across all EBS hosts and reverse proxies for the last 60–90 days:
4) If you find indicators / suspicious activity…
5) Hardening (post-patch)
Google’s Threat Intelligence Group analysed 112 vulnerabilities disclosed in 2024 that were confirmed to be exploited in the wild. Historically, most exploits target vulnerabilities after a patch is released, rather than before — a roughly 31:69 split between zero-day (before patch) and n-day (after patch) attacks.
The time to exploit (TTE) measures the time it takes for attackers to begin exploiting a vulnerability once a patch is available. The Google data shows that the window has been shrinking rapidly:
The trend revealed by this Google data indicates that attackers are moving faster than ever, often striking before defenders have a chance to patch. It highlights the importance of strong incident response planning and cyber insurance to help organisations recover from attacks that can’t be prevented through patching alone.
While we can’t control the uncontrollables, we can control timely patching. Automate patch deployment (with patch rings, canary devices, etc.) so that patches are rolled out as soon as they are available. It’s also important to plan for the possibility of no patch. Good incident response plans should make provisions for exploits that cannot be patched.
Hackers, known as Radiant, who tried to extort nursery chain Kido Schools by posting stolen images and data of children online, have removed the posts and claimed to have deleted the information. The group had published child profiles and threatened to release more until a Bitcoin ransom was paid, even contacting parents directly. Following widespread outrage, the attackers blurred the images, then took all data offline and issued an apology.
It’s believed that Kido did not pay the ransom, which was thought to be over half a million pounds.
This incident reminds us of the LockBit ransomware attack on a children’s hospital in Toronto, Canada (SickKids Hospital), in December 2022. In that incident, the LockBit operators issued a public apology on their leak site, claiming that one of their affiliates had violated group policy by targeting a healthcare organisation. They offered a free decryptor key to the hospital and said the responsible affiliate had been “blocked.”
These examples serve as a reminder of the importance of PR to go on the offensive and turn public opinion against the threat groups. External communication strategy should therefore be considered as part of crisis planning.