The Clop ransomware gang has launched a new wave of mass exploitation attacks targeting Oracle E-Business Suite (EBS).
The threat actors leverage both known vulnerabilities and a previously undisclosed zero-day to steal sensitive data from multiple organizations, starting in August 2025. Victims have since begun receiving extortion demands from the group, marking a continuation of Clop’s long-standing strategy of using zero-day vulnerabilities for large-scale data theft.
Mandiant’s CTO Charles Carmakal revealed that Clop exploited multiple flaws in Oracle EBS, some patched in Oracle’s July 2025 update and one patched only on October 4, 2025. The critical zero-day, tracked as CVE-2025-61882, received a CVSS score of 9.8 and allows unauthenticated remote code execution via the BI Publisher integration component over HTTP. This enables attackers to compromise Oracle EBS servers over the network without requiring any credentials.
Oracle confirmed the vulnerability in a security alert and emphasized that organizations must apply the latest patches immediately. The flaw affects all supported versions of Oracle EBS between 12.2.3 and 12.2.14. Oracle's advisory includes detection guidance, indicators of compromise, and SHA-256 hashes of exploit-related files, which include Python scripts and ZIP archives with file names referencing Clop, Scattered Spider, and Lapsus$.
Oracle E-Business Suite is a widely deployed enterprise resource planning (ERP) platform used by governments, financial institutions, manufacturers, and multinational corporations for mission-critical operations such as finance, supply chain management, and human resources. Given its role in handling sensitive data and essential business processes, EBS systems are high-value targets for financially motivated threat actors like Clop.
Clop’s campaign reportedly began in August 2025, with exploitation likely continuing even after the October patch release. While some affected organizations have received extortion emails from the group, Mandiant warns that many others may be unaware of their compromise and should proactively investigate their environments.
This incident marks yet another in Clop’s extensive history of targeting managed file transfer and enterprise software platforms via zero-day exploits. Previous campaigns of this sort include:
- 2020: Accellion FTA zero-day, impacting nearly 100 organizations
- 2021: SolarWinds Serv-U FTP vulnerability
- 2023: GoAnywhere MFT zero-day, breaching over 100 firms
- 2023: MOVEit Transfer zero-day, affecting 2,773 entities globally
- 2024: Cleo MFT platform zero-days (CVE-2024-50623 and CVE-2024-55956)
Leave a Reply