Before we begin today's briefing, we have a critical security alert. CVE-2025-61882, a remote code execution in Oracle E, has been added to the CISA Known Exploited Vulnerabilities catalog.
Good morning. This is your security briefing for Monday, October 6th, 2025, covering 4 critical developments from the past day. All attribution is by the article authors, and all article analysis is automated.
CrowdStrike has identified an active campaign exploiting a zero-day vulnerability in Oracle E-Business Suite, now tracked as CVE-2025-61882. The vulnerability is being actively exploited in the wild against Oracle's enterprise resource planning software, representing an immediate threat to organizations running Oracle E-Business Suite.
watchTowr Labs has verified an exploit chain for this same Oracle vulnerability that enables pre-authentication remote code execution. The vulnerability is actually a chain of multiple weaknesses, and the sophistication suggests the original attacker has deep knowledge of Oracle EBS architecture.
StrikeReady Labs reports that a Chinese APT group targeted a Serbian government aviation department with a spearphishing campaign using fake Cloudflare turnstile pages. The threat actor leverages the sogu plugx korplug toolset, which has been reliably attributed to Chinese espionage operations for over a decade, with similar targeting observed against other European nations.
rxerium has released a GitHub repository containing detection signatures for CVE-2025-61882, the Oracle E-Business Suite zero-day. This community effort provides security teams with detection capabilities to identify exploitation attempts of this critical unpatched Oracle vulnerability.