Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day for Data Theft and Extortion
The Cl0p ransomware group orchestrated a significant cyber extortion campaign by exploiting multiple vulnerabilities in Oracle E-Business Suite (EBS), including a previously unknown zero-day flaw tracked as CVE-2025-61882. According to reports, Cl0p leveraged these vulnerabilities to gain unauthorized access to EBS environments and exfiltrate large volumes of sensitive data from several organizations in August 2025. Security researchers, including Charles Carmakal, CTO at Mandiant, and CrowdStrike, confirmed that the attacks began on August 9, 2025, and were part of a coordinated effort targeting Oracle EBS customers. The attackers used the zero-day vulnerability to bypass security controls and escalate privileges within the affected systems, enabling them to steal confidential business information and customer data. The stolen data was then used as leverage in extortion attempts, with Cl0p threatening to publicly release or sell the information unless ransom demands were met. The campaign demonstrated a high level of sophistication, as Cl0p combined the exploitation of the zero-day with other known vulnerabilities to maximize their access and impact. Security advisories highlighted the critical nature of CVE-2025-61882, urging organizations to apply patches and implement additional security measures to protect their Oracle EBS deployments. The incident underscored the ongoing threat posed by ransomware groups exploiting enterprise software vulnerabilities, particularly those that remain unpatched or are not widely known. Oracle customers were advised to review their security posture, monitor for signs of compromise, and engage in threat hunting activities to detect potential intrusions. The attacks also prompted discussions about the importance of timely vulnerability disclosure and patch management in reducing the risk of large-scale data breaches. Industry experts noted that the Cl0p campaign was part of a broader trend of ransomware actors targeting business-critical applications to maximize extortion pressure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the Oracle EBS zero-day to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of remediation. Organizations impacted by the breach faced significant operational and reputational risks, as well as potential regulatory consequences due to the exposure of sensitive data. The incident served as a stark reminder for enterprises to prioritize the security of their ERP systems and to stay vigilant against evolving ransomware tactics. Security vendors and incident response teams collaborated to share indicators of compromise and mitigation strategies, aiming to limit the spread and impact of the Cl0p campaign. The exploitation of Oracle EBS by Cl0p highlighted the persistent threat of zero-day attacks and the need for robust, layered defenses in enterprise environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Story first reported
Initial story creation
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cl0p Ransomware Group Exploits Oracle E-Business Suite Zero-Day for Data Theft
Threat actors associated with the Cl0p ransomware group have exploited a critical zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to facilitate large-scale data theft attacks. The flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. According to Mandiant CTO Charles Carmakal, Cl0p exploited multiple vulnerabilities in Oracle EBS, including those patched in Oracle's July 2025 update and the newly addressed CVE-2025-61882, to steal significant amounts of data from several organizations in August 2025. The attacks highlight the persistent threat posed by ransomware groups leveraging both known and unknown vulnerabilities to breach enterprise systems. Oracle responded by releasing a patch for CVE-2025-61882, but the incident underscores the importance of timely patch management, as some exploited vulnerabilities had been addressed in previous updates. The exploitation campaign demonstrates Cl0p's technical sophistication and ability to chain multiple vulnerabilities for maximum impact. Victims of these attacks faced the risk of sensitive data exfiltration, with the potential for extortion or public leaks. The incident has raised concerns about the security of widely deployed enterprise resource planning (ERP) platforms, especially those exposed to the internet. Security experts recommend organizations using Oracle EBS urgently apply all relevant patches and review their exposure to internet-facing components. The attacks also serve as a warning about the increasing trend of ransomware groups targeting business-critical applications rather than just endpoints. The campaign has prompted renewed calls for organizations to enhance monitoring, implement network segmentation, and restrict unnecessary external access to ERP systems. The Cl0p group's activity in this case is part of a broader pattern of ransomware operators exploiting high-impact vulnerabilities for data theft and extortion. The incident has been widely discussed in the cybersecurity community as a case study in the risks of delayed patching and the evolving tactics of financially motivated threat actors. Organizations are urged to coordinate with their security vendors and incident response teams to assess potential exposure and strengthen their defenses against similar attacks. The Oracle EBS zero-day exploitation by Cl0p is a stark reminder of the need for continuous vulnerability management and proactive threat intelligence sharing across the industry.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited by Cl0p in Mass Extortion Campaign
Cl0p ransomware operators launched a widespread extortion campaign targeting Oracle E-Business Suite (EBS) customers by exploiting a previously unknown zero-day vulnerability, later assigned CVE-2024-61882. The campaign began as early as July or August, with Google's threat intelligence team tracking the exploitation weeks before Oracle became aware of the issue. Attackers leveraged the vulnerability to gain unauthorized access to EBS environments, deploying sophisticated multi-stage Java-based implants such as GOLDVEIN, SAGEGIFT, and SAGEWAVE. These implants operated entirely in memory, making detection difficult, and communicated with command-and-control servers using traffic disguised as legitimate TLS handshakes. The payloads were stored directly in the EBS database, and attackers used compromised third-party email services to facilitate their operations. Once data was exfiltrated, Cl0p initiated mass extortion by sending emails to executives, threatening to release stolen information unless a ransom was paid. The attack pattern mirrored previous Cl0p campaigns, notably the MOVEit mass exploitation, indicating a strategic focus on widely used enterprise applications. Oracle responded by releasing emergency patches on October 4th, but by that time, many organizations had already suffered breaches and data theft. The campaign highlighted the risks associated with delayed vulnerability disclosure and patching in critical business applications. Security researchers emphasized the technical sophistication of the implants, which were designed to evade traditional endpoint detection and response (EDR) solutions. The incident underscored the importance of proactive threat intelligence and rapid patch management for organizations relying on Oracle EBS. Industry observers noted that the campaign's scale and impact were significant, with numerous enterprises affected globally. The use of in-memory implants and stealthy C2 communications represented an evolution in Cl0p's tactics, making incident response and forensic analysis more challenging. The attack also raised concerns about the security of third-party integrations and the broader supply chain within enterprise environments. Oracle's emergency response included not only patches but also guidance for detecting signs of compromise and mitigating further risk. The event served as a stark reminder of the persistent threat posed by ransomware groups targeting high-value enterprise software platforms. Organizations were urged to review their security posture, monitor for unusual activity in EBS environments, and apply patches without delay. The campaign's exposure prompted renewed calls for improved collaboration between software vendors, threat intelligence teams, and end users to reduce the window of opportunity for attackers.
Mar 21, 2026
Cl0p Ransomware Exploits Oracle E-Business Suite Zero-Day Vulnerability
Cl0p ransomware operators exploited a previously unknown zero-day vulnerability in Oracle E-Business Suite (EBS), enabling unauthorized access to the networks of major organizations, including Cox Enterprises. The attackers leveraged this flaw between August 9-14, 2025, to steal sensitive data before Oracle released a patch on October 5. Cox Enterprises detected the breach in late September and subsequently notified affected individuals after confirming that personal data had been exposed. The Cl0p group later published the stolen information on their dark web extortion portal, listing Cox among 29 new victims. This campaign is part of a broader wave of attacks by Cl0p, which has a history of targeting widely used enterprise platforms through zero-day vulnerabilities. Other high-profile victims in this Oracle EBS campaign include Michelin, Canon, Mazda, Estée Lauder, Broadcom, and even Oracle itself. The group’s tactics mirror previous operations against MOVEit Transfer, GoAnywhere MFT, and Cleo file transfer tools, involving data theft followed by public leaks and extortion attempts. The scale and rapid escalation of the Oracle EBS campaign highlight the ongoing threat posed by Cl0p’s exploitation of critical enterprise software vulnerabilities.
Mar 21, 2026