NCSC CRITICAL WARNING: Oracle E-Business Suite 0-Day Actively Exploited in the Wild    

Chapter 1: The Alarm Bells Are Ringing — The NCSC Issues Critical Warning

The UK's National Cyber Security Centre (NCSC) has issued a critical alert regarding active, in-the-wild exploitation of a new, unpatched zero-day vulnerability in Oracle E-Business Suite (EBS). This is the highest level of warning a national CERT can issue. It indicates that they, along with their international partners, have concrete intelligence that sophisticated threat actors are successfully compromising organizations using this flaw, which we have been tracking as **CVE-2025-22998**.

As we warned when the **public PoC was released**, any unpatched, internet-facing EBS instance is at extreme risk. This NCSC alert confirms that the risk is no longer theoretical; it is an active, ongoing campaign.

Chapter 2: The Attacker's Playbook — From Exploit to Enterprise Compromise

The goal of the attackers is a full takeover of your enterprise's "crown jewel" data. The TTPs are consistent with elite data extortion groups like **Cl0p** and nation-state espionage actors.

1. **Exploitation:** The attacker uses the unauthenticated RCE to gain an initial foothold on the EBS server.
2. **Payload Deployment:** They deploy a stealthy backdoor, such as a webshell or an in-memory implant, to establish persistent access.
3. **Credential Dumping:** They use tools like Mimikatz to dump credentials from the server's memory, seeking the credentials of a Domain Administrator.
4. **Lateral Movement:** Using the stolen credentials, they pivot from the EBS server to the core of the network, most notably the Domain Controllers.
5. **Data Exfiltration/Ransomware:** The attacker achieves their final objective: exfiltrating the entire contents of the ERP database for extortion, or deploying ransomware across the entire enterprise.

Chapter 3: The NCSC's Directive — An Immediate Containment and Hunting Plan

With no patch available, the official guidance is focused on containment and detection. You must act now.

1. IMMEDIATE NETWORK CONTAINMENT

This is the only guaranteed way to stop the initial attack. Your Oracle EBS web interface ports **must not be accessible from the public internet.** Use your perimeter firewall or WAF to block all access from untrusted networks immediately.

2. HUNT FOR COMPROMISE (Assume Breach)

You must assume your systems have been targeted. The NCSC urges all EBS customers to immediately begin proactive threat hunting. The highest-fidelity indicator is seeing the core Oracle process spawn a shell. Use your EDR platform to run this query across all EBS servers:

ParentProcess IN ('ebs_process', 'ias_process', 'frmweb.exe') AND ProcessName IN ('cmd.exe', 'powershell.exe', '/bin/bash', '/bin/sh')

3. MONITOR FOR A PATCH

Continuously monitor Oracle's official security advisories for an emergency patch and be prepared to deploy it the moment it is released.

Chapter 4: The Strategic Imperative — Defending Tier-0 Assets

An NCSC alert for an actively exploited zero-day in your core ERP system is a board-level issue. It is the ultimate test of your security program's resilience. A strategy that relies purely on preventative controls has already failed. Your ability to survive this event depends entirely on your **detection and response** capabilities.

This incident is the ultimate justification for investing in a mature, proactive security operation built on a **Zero Trust** architecture and powered by an **XDR platform**. Can you see what an attacker does *after* they bypass your firewall? Can you contain their lateral movement? These are the questions that determine survival.