Oracle E-Business Suite Zero-Day Exploited by Cl0p in Mass Extortion Campaign
Cl0p ransomware operators launched a widespread extortion campaign targeting Oracle E-Business Suite (EBS) customers by exploiting a previously unknown zero-day vulnerability, later assigned CVE-2024-61882. The campaign began as early as July or August, with Google's threat intelligence team tracking the exploitation weeks before Oracle became aware of the issue. Attackers leveraged the vulnerability to gain unauthorized access to EBS environments, deploying sophisticated multi-stage Java-based implants such as GOLDVEIN, SAGEGIFT, and SAGEWAVE. These implants operated entirely in memory, making detection difficult, and communicated with command-and-control servers using traffic disguised as legitimate TLS handshakes. The payloads were stored directly in the EBS database, and attackers used compromised third-party email services to facilitate their operations. Once data was exfiltrated, Cl0p initiated mass extortion by sending emails to executives, threatening to release stolen information unless a ransom was paid. The attack pattern mirrored previous Cl0p campaigns, notably the MOVEit mass exploitation, indicating a strategic focus on widely used enterprise applications. Oracle responded by releasing emergency patches on October 4th, but by that time, many organizations had already suffered breaches and data theft. The campaign highlighted the risks associated with delayed vulnerability disclosure and patching in critical business applications. Security researchers emphasized the technical sophistication of the implants, which were designed to evade traditional endpoint detection and response (EDR) solutions. The incident underscored the importance of proactive threat intelligence and rapid patch management for organizations relying on Oracle EBS. Industry observers noted that the campaign's scale and impact were significant, with numerous enterprises affected globally. The use of in-memory implants and stealthy C2 communications represented an evolution in Cl0p's tactics, making incident response and forensic analysis more challenging. The attack also raised concerns about the security of third-party integrations and the broader supply chain within enterprise environments. Oracle's emergency response included not only patches but also guidance for detecting signs of compromise and mitigating further risk. The event served as a stark reminder of the persistent threat posed by ransomware groups targeting high-value enterprise software platforms. Organizations were urged to review their security posture, monitor for unusual activity in EBS environments, and apply patches without delay. The campaign's exposure prompted renewed calls for improved collaboration between software vendors, threat intelligence teams, and end users to reduce the window of opportunity for attackers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Google DeepMind unveils CodeMender vulnerability-fixing AI agent
Google DeepMind introduced 'CodeMender,' an AI agent designed to find and fix vulnerabilities using multiple validation techniques and human review. The company said the system had already contributed dozens of upstreamed open-source security fixes.
Unit 42 reveals IUAM ClickFix Generator phishing-kit factory
Palo Alto Networks Unit 42 disclosed an 'IUAM ClickFix Generator' phishing-kit factory used to deliver infostealers. The disclosure added new technical details about tooling supporting phishing and malware delivery.
DraftKings hit by credential-stuffing activity
DraftKings was reported as a target of credential-stuffing attacks. The incident highlighted ongoing account takeover risk driven by reused credentials.
Qilin claims attack on Asahi
The Qilin ransomware/extortion group claimed it had attacked Asahi. This represented a new victim claim in the reporting period.
Salesforce faces extortion attempt
An extortion attempt involving Salesforce was reported as part of the roundup's threat activity. The item identified Salesforce as the target of a distinct extortion-related incident.
Attackers attempt to exploit older Grafana vulnerability
Exploitation attempts were observed for an older Grafana bug during the same reporting period. The activity indicated continued attacker use of previously disclosed vulnerabilities.
Scanning surges against Palo Alto Networks portals
Security reporting noted a surge in scanning activity targeting Palo Alto Networks portals. The increase suggested heightened attacker interest and possible preparation for exploitation.
Critical Redis RCE flaw CVE-2025-49844 is disclosed
A critical remote code execution vulnerability in Redis, tracked as CVE-2025-49844, was reported with a CVSS score of 10.0. Its disclosure added a major newly identified software risk to the reporting period.
Microsoft reports Storm-2657 phishing targeting US universities
Microsoft disclosed activity by the 'payroll pirate' phishing actor Storm-2657 targeting US universities. The campaign was highlighted as an active threat affecting higher-education institutions.
SonicWall cloud backup breach exposes customer firewall backups
A breach of SonicWall's cloud backup environment exposed firewall configuration backups for all cloud-backup customers. The exposed backups could enable follow-on intrusions by revealing sensitive material such as TOTP seeds and VPN credentials.
Oracle releases patches for CVE-2024-61882 after months of exploitation
Oracle released patches for CVE-2024-61882 only after the zero-day had reportedly been exploited for an extended period. The delayed patching marked a key turning point in the Oracle E-Business Suite intrusion story.
Cl0p exploits Oracle E-Business Suite zero-day before patching
The Cl0p extortion group exploited Oracle E-Business Suite vulnerability CVE-2024-61882 for months before patches were released. The activity reportedly used in-memory Java implants and database-stored payloads to steal data stealthily and support later extortion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day for Data Theft and Extortion
The Cl0p ransomware group orchestrated a significant cyber extortion campaign by exploiting multiple vulnerabilities in Oracle E-Business Suite (EBS), including a previously unknown zero-day flaw tracked as CVE-2025-61882. According to reports, Cl0p leveraged these vulnerabilities to gain unauthorized access to EBS environments and exfiltrate large volumes of sensitive data from several organizations in August 2025. Security researchers, including Charles Carmakal, CTO at Mandiant, and CrowdStrike, confirmed that the attacks began on August 9, 2025, and were part of a coordinated effort targeting Oracle EBS customers. The attackers used the zero-day vulnerability to bypass security controls and escalate privileges within the affected systems, enabling them to steal confidential business information and customer data. The stolen data was then used as leverage in extortion attempts, with Cl0p threatening to publicly release or sell the information unless ransom demands were met. The campaign demonstrated a high level of sophistication, as Cl0p combined the exploitation of the zero-day with other known vulnerabilities to maximize their access and impact. Security advisories highlighted the critical nature of CVE-2025-61882, urging organizations to apply patches and implement additional security measures to protect their Oracle EBS deployments. The incident underscored the ongoing threat posed by ransomware groups exploiting enterprise software vulnerabilities, particularly those that remain unpatched or are not widely known. Oracle customers were advised to review their security posture, monitor for signs of compromise, and engage in threat hunting activities to detect potential intrusions. The attacks also prompted discussions about the importance of timely vulnerability disclosure and patch management in reducing the risk of large-scale data breaches. Industry experts noted that the Cl0p campaign was part of a broader trend of ransomware actors targeting business-critical applications to maximize extortion pressure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the Oracle EBS zero-day to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of remediation. Organizations impacted by the breach faced significant operational and reputational risks, as well as potential regulatory consequences due to the exposure of sensitive data. The incident served as a stark reminder for enterprises to prioritize the security of their ERP systems and to stay vigilant against evolving ransomware tactics. Security vendors and incident response teams collaborated to share indicators of compromise and mitigation strategies, aiming to limit the spread and impact of the Cl0p campaign. The exploitation of Oracle EBS by Cl0p highlighted the persistent threat of zero-day attacks and the need for robust, layered defenses in enterprise environments.
Mar 21, 2026
Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day for Data Theft
Threat actors associated with the Cl0p ransomware group have exploited a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to facilitate large-scale data theft attacks. The flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. According to Mandiant CTO Charles Carmakal, Cl0p exploited multiple vulnerabilities in Oracle EBS, including those patched in Oracle's July 2025 update and the newly addressed CVE-2025-61882, to steal significant amounts of data from several organizations in August 2025. The attacks highlight the persistent threat posed by ransomware groups leveraging both known and unknown vulnerabilities to breach enterprise systems. Oracle responded by releasing a patch for CVE-2025-61882, but the incident underscores the importance of timely patch management, as some exploited vulnerabilities had been addressed in previous updates. The exploitation campaign demonstrates Cl0p's technical sophistication and ability to chain multiple vulnerabilities for maximum impact. Victims of these attacks faced the risk of sensitive data exfiltration, with the potential for extortion or public leaks. The incident has raised concerns about the security of widely deployed enterprise resource planning (ERP) platforms, especially those exposed to the internet. Security experts recommend organizations using Oracle EBS urgently apply all relevant patches and review their exposure to internet-facing components. The attacks also serve as a warning about the increasing trend of ransomware groups targeting business-critical applications rather than just endpoints. The campaign has prompted renewed calls for organizations to enhance monitoring, implement network segmentation, and restrict unnecessary external access to ERP systems. The Cl0p group's activity in this case is part of a broader pattern of ransomware operators exploiting high-impact vulnerabilities for data theft and extortion. The incident has been widely discussed in the cybersecurity community as a case study in the risks of delayed patching and the evolving tactics of financially motivated threat actors. Organizations are urged to coordinate with their security vendors and incident response teams to assess potential exposure and strengthen their defenses against similar attacks. The Oracle EBS zero-day exploitation by Cl0p is a stark reminder of the need for continuous vulnerability management and proactive threat intelligence sharing across the industry.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploitation and Emergency Patching
Oracle E-Business Suite (EBS) has been the target of a sophisticated cyberattack campaign exploiting multiple zero-day vulnerabilities, resulting in significant data breaches and prompting an urgent security response. According to reports, dozens of organizations have been impacted by the exploitation of a critical flaw in Oracle EBS, tracked as CVE-2025-61882, which has been actively used by threat actors since at least August 2025. The attackers leveraged a chain of vulnerabilities, including CVE-2025-61882 and a newly disclosed CVE-2025-61884, to gain unauthorized access to sensitive data and deploy various malware payloads such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. The Clop ransomware group has been linked to these attacks, using the vulnerabilities to breach networks, exfiltrate data, and extort victims. Oracle responded by releasing an emergency patch for CVE-2025-61884, which affects EBS versions 12.2.3 to 12.2.14, warning that the flaw could be exploited remotely by unauthenticated attackers to steal sensitive information. Security researchers from CrowdStrike observed that Clop had been exploiting CVE-2025-61882 as a zero-day since early August, and other threat groups may have joined the campaign. The vulnerabilities allow attackers to achieve remote code execution and information disclosure, posing a severe risk to organizations running affected EBS versions. Oracle strongly advised customers to apply the emergency updates or mitigations immediately to prevent further exploitation. The attacks have resulted in the exfiltration of large volumes of sensitive data, including financial documents, employee IDs, contracts, and internal reports, with some organizations facing significant operational disruptions and potential financial losses. The campaign demonstrates the increasing sophistication of ransomware and extortion groups, who are now chaining multiple vulnerabilities and targeting widely used enterprise platforms. Security experts have emphasized the importance of timely patching, robust monitoring, and incident response planning to mitigate the risks associated with zero-day exploitation. The incident also highlights the need for organizations to review their exposure to third-party software vulnerabilities and strengthen their supply chain security posture. Oracle's rapid release of emergency patches underscores the critical nature of the threat and the ongoing arms race between software vendors and cybercriminals. The exploitation of Oracle EBS zero-days is part of a broader trend of attackers targeting business-critical applications to maximize impact and leverage for extortion. Organizations are urged to remain vigilant, monitor for signs of compromise, and ensure that all security updates are applied without delay. The incident serves as a stark reminder of the persistent threat posed by advanced cybercriminal groups and the necessity of proactive cybersecurity measures in the face of evolving attack techniques.
Mar 21, 2026