SANS Stormcast Monday, October 6th, 2025: Oracle 0-Day
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 6 October 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
Last week, the Cl0p ransomware gang sent messages to many businesses stating that an Oracle E-Business Suite vulnerability was used to exfiltrate data. Initially, Oracle believed the root cause to be a vulnerability patched in June, but now Oracle released a patch for a new vulnerability.
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
Zimbra Exploit Analysis
An exploit against a Zimbra system prior to the patch release is analyzed. These exploits take advantage of .ics files to breach vulnerable systems.
https://strikeready.com/blog/0day-ics-attack-in-the-wild/
Unity Editor Vulnerability CVE-2025-59489
The Unity game editor suffered from a code execution vulnerablity that would also expose software developed with vulnerable versions
https://unity.com/security/sept-2025-01
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, October 6, 2025 edition of the Sands and at Storm centers, |
| 0:11.1 | Stormcast. My name is Johannes Ulrich, recorded today from Denver, Colorado. And this episode |
| 0:17.8 | is brought you by the Sands.edu graduate certificate program in cloud security. |
| 0:23.7 | Well, to start out with, we have some bad news for users of Oracle's e-business suite. |
| 0:29.6 | Last week, I think it was Wednesday, Thursday. |
| 0:32.5 | There was news coming up that many companies using Oracle's e-business suite did receive letters, emails |
| 0:39.7 | from the Klopp ransomware gang stating that their Oracle E-Business suite had been compromised |
| 0:46.7 | and, well, that data had been stolen. |
| 0:51.3 | Oracle shortly after, yeah, their chief security officer did publish a blog post |
| 0:57.6 | stating that they assume that the vulnerability being exploited here is a vulnerability |
| 1:02.9 | patched as part of Oracle's critical patch update in June. So as long as you had that applied, |
| 1:09.8 | well, you should be good. Then save from |
| 1:12.9 | any exploitation, pretty much should disregard this ransom note. Well, on Saturday, Oracle changed |
| 1:20.8 | its stance on this. Oracle did publish an additional patch for its e-business suite, |
| 1:27.6 | this patch fixes a vulnerability with a C-Bissor of 9.8. |
| 1:34.2 | According to Oracle, the vulnerability does allow the execution of arbitrary code |
| 1:40.0 | across the network without any authentication. |
| 1:44.6 | So certainly one of the sort of kind of worst case scenarios. |
| 1:49.1 | And that apparently is what's behind these letters emails from the Klop ransomware gang. |
| 1:56.7 | So if you received one of those emails stating that your data may have been compromised, |
| 2:03.2 | first of all, take it serious, assume it's real, and, well, switch to instant response mode. |
| 2:09.5 | This should be your highest priority on Monday. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.