Clop Ransomware Exploitation of Oracle E-Business Suite Zero-Day Vulnerability
Oracle disclosed a critical zero-day vulnerability, CVE-2025-61882, in its E-Business Suite that was actively exploited by the Clop ransomware group to conduct a widespread data theft and extortion campaign. The vulnerability, which affects Oracle E-Business Suite, was addressed in a security advisory released on a Saturday, with Oracle urging customers to apply the patch immediately to mitigate the risk of compromise. Federal cyber authorities and threat intelligence researchers expressed heightened concern following Oracle’s announcement, as the flaw had been exploited for at least eight weeks before some victims received extortion demands. The Clop group leveraged this zero-day, along with other vulnerabilities previously addressed in Oracle’s July security update, to gain unauthorized access to enterprise resource planning (ERP) systems. Once inside, the attackers exfiltrated sensitive data and subsequently targeted executives with spear-phishing emails containing ransom demands, threatening to leak or misuse the stolen information. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its known exploited vulnerabilities catalog, confirming its use in active ransomware campaigns. Oracle’s Chief Security Officer, Rob Duhart, updated customers via a blog post, providing indicators of compromise and emphasizing the urgency of patching. The FBI’s Cyber Division described the situation as an emergency, highlighting the critical role Oracle E-Business Suite plays in both public and private sector organizations and the high incentive for attackers to weaponize the vulnerability quickly. Security briefings noted that organizations running Oracle E-Business Suite were specifically targeted, with attackers using sophisticated spear-phishing tactics to maximize the impact of their extortion efforts. The campaign’s discovery has amplified concerns about the security of widely used ERP platforms and the increasing sophistication of ransomware groups like Clop. The incident underscores the importance of timely patch management and the need for organizations to monitor for indicators of compromise associated with this vulnerability. The attack has prompted a rapid response from both Oracle and federal agencies, with advisories and threat intelligence updates being disseminated to help organizations defend against ongoing exploitation. The event has also reignited discussions about the risks posed by zero-day vulnerabilities in critical business applications and the necessity for coordinated industry response. As the situation develops, organizations are advised to remain vigilant, apply all relevant security updates, and review their incident response plans to address potential data theft and extortion scenarios. The Clop group’s exploitation of this zero-day highlights the evolving tactics of ransomware actors and the persistent threat they pose to enterprise environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Steam blocks exploit-related launch parameters for Unity games
Valve introduced a mitigation on Steam by blocking Unity games launched with certain command-line parameters associated with exploitation of CVE-2025-59489. The step was intended to reduce abuse while developers work to ship rebuilt games.
Microsoft warns Windows users to uninstall unpatched Unity games
In response to the Unity vulnerability, Microsoft said Xbox was not affected but warned Windows users about the risk. The company urged users to uninstall Unity-based games until patched versions become available.
Unity releases patch but requires developers to rebuild affected games
Unity issued a patch for CVE-2025-59489, but full remediation requires developers to recompile and redistribute games built with Unity Editor 2017.1 and later. This left a large residual attack surface because many already-shipped games would remain vulnerable until updated by their developers.
Unity vulnerability CVE-2025-59489 is disclosed
A high-impact Unity game engine flaw, CVE-2025-59489, was disclosed that allows a malicious app on the same device to inject command-line arguments into Unity-based games and load malicious code. Research initially focused on Android, but the issue was described as potentially affecting other platforms as well.
Oracle E-Business Suite zero-day campaign linked to Clop emerges
A recent mass-exploitation and extortion campaign targeting Oracle E-Business Suite was reported, tied to CVE-2025-61882 and linked to Clop. The activity centered on data theft and extortion rather than disruptive encryption of victim systems.
Clop begins shift from ransomware to data-extortion campaigns
By 2019, the Clop group had moved away from primarily encrypting victims' systems and increasingly focused on stealing data and extorting organizations. This strategic shift set the pattern for later mass-exploitation campaigns against widely deployed enterprise software.
Clop exploits zero-days in major file-transfer products
Over subsequent years, Clop conducted large-scale campaigns using zero-day flaws in products including Accellion, GoAnywhere, MOVEit, and Cleo. These operations caused widespread data breaches across many organizations and established the group's playbook of mass data theft and extortion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Clop is a Big Fish, But Not Worth Hunting
lawfaremedia.org
Open sourceClop is a Big Fish, But Not Worth Hunting
news.risky.biz
Open sourceRisky Bulletin: Microsoft tells users to uninstall games affected by major Unity bug
news.risky.biz
Open sourceOracle zero-day defect amplifies panic over Clop’s data theft attack spree
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerability in Oracle E-Business Suite Exploited by Clop Ransomware
Oracle E-Business Suite (EBS) was found to contain a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, which has been actively exploited in the wild. The flaw resides in the Oracle Concurrent Processing component, specifically within the BI Publisher Integration, and carries a CVSS base score of 9.8 due to its unauthenticated and easily exploitable nature. Attackers can leverage this vulnerability to execute arbitrary code remotely without requiring valid credentials, posing a severe risk to organizations running affected EBS versions. Oracle confirmed that versions 12.2.3 through 12.2.14 are impacted by this vulnerability. The company released an emergency security update to address the issue, but customers must first apply the October 2023 Critical Patch Update before deploying the new fix. The vulnerability was exploited by the Clop ransomware group in a series of data theft attacks in August 2025, resulting in significant data exfiltration from multiple victims. Mandiant's CTO, Charles Carmakal, confirmed that Clop leveraged both this zero-day and other previously patched vulnerabilities in their campaign. Oracle's advisory included indicators of compromise that matched exploit details shared by threat actors on Telegram, highlighting the public availability of exploit information. The exploitation of this flaw underscores the importance of timely patch management, especially for business-critical applications like Oracle EBS. Oracle has urged all customers to prioritize the application of the latest patches to mitigate the risk of further exploitation. The incident demonstrates the increasing trend of ransomware groups targeting enterprise software vulnerabilities for large-scale data theft. Security researchers have emphasized the need for organizations to monitor for signs of compromise and to review their EBS deployments for unauthorized activity. The rapid release of a security alert and patch by Oracle reflects the urgency and severity of the threat posed by CVE-2025-61882. Organizations are advised to follow Oracle's remediation guidance closely and to remain vigilant for related threat activity. The incident has raised concerns about the security posture of widely used ERP platforms and the potential for future exploitation of similar vulnerabilities. The Clop attacks serve as a reminder that threat actors are adept at chaining multiple vulnerabilities to maximize impact. This event highlights the criticality of maintaining up-to-date security controls and monitoring for exploitation attempts targeting high-value enterprise systems.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited by Clop Ransomware Group
Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to compromise major organizations including Schneider Electric, Emerson, Harvard University, and others. The vulnerability allowed unauthenticated remote access to Oracle Concurrent Processing, enabling attackers to exfiltrate large volumes of sensitive data such as ERP records, financial documents, procurement workflows, and engineering files. Clop reportedly maintained access for months, exfiltrating 2.7 terabytes from Emerson and 116 gigabytes from Schneider Electric, with the breach going undetected by traditional monitoring tools. Security experts warn that the impact extends beyond data theft, as attackers may leverage stolen information for extortion, supply chain exploitation, and credential harvesting. Oracle has released patches for CVE-2025-61882 and strongly urges all EBS customers to apply updates immediately. The campaign highlights the risks posed by trusted vendor dependencies and the potential for widespread disruption across critical infrastructure and operational technology supply chains. Attribution remains under investigation, with both Clop and the financially motivated FIN11 group suspected of involvement.
Mar 21, 2026
Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day for Data Theft
Threat actors associated with the Cl0p ransomware group have exploited a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to facilitate large-scale data theft attacks. The flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. According to Mandiant CTO Charles Carmakal, Cl0p exploited multiple vulnerabilities in Oracle EBS, including those patched in Oracle's July 2025 update and the newly addressed CVE-2025-61882, to steal significant amounts of data from several organizations in August 2025. The attacks highlight the persistent threat posed by ransomware groups leveraging both known and unknown vulnerabilities to breach enterprise systems. Oracle responded by releasing a patch for CVE-2025-61882, but the incident underscores the importance of timely patch management, as some exploited vulnerabilities had been addressed in previous updates. The exploitation campaign demonstrates Cl0p's technical sophistication and ability to chain multiple vulnerabilities for maximum impact. Victims of these attacks faced the risk of sensitive data exfiltration, with the potential for extortion or public leaks. The incident has raised concerns about the security of widely deployed enterprise resource planning (ERP) platforms, especially those exposed to the internet. Security experts recommend organizations using Oracle EBS urgently apply all relevant patches and review their exposure to internet-facing components. The attacks also serve as a warning about the increasing trend of ransomware groups targeting business-critical applications rather than just endpoints. The campaign has prompted renewed calls for organizations to enhance monitoring, implement network segmentation, and restrict unnecessary external access to ERP systems. The Cl0p group's activity in this case is part of a broader pattern of ransomware operators exploiting high-impact vulnerabilities for data theft and extortion. The incident has been widely discussed in the cybersecurity community as a case study in the risks of delayed patching and the evolving tactics of financially motivated threat actors. Organizations are urged to coordinate with their security vendors and incident response teams to assess potential exposure and strengthen their defenses against similar attacks. The Oracle EBS zero-day exploitation by Cl0p is a stark reminder of the need for continuous vulnerability management and proactive threat intelligence sharing across the industry.
Mar 21, 2026