Oracle E-Business Suite Zero-Day Exploited by Clop Ransomware Group
Clop ransomware group exploited a zero-day vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2025-61882, to compromise major organizations including Schneider Electric, Emerson, Harvard University, and others. The vulnerability allowed unauthenticated remote access to Oracle Concurrent Processing, enabling attackers to exfiltrate large volumes of sensitive data such as ERP records, financial documents, procurement workflows, and engineering files. Clop reportedly maintained access for months, exfiltrating 2.7 terabytes from Emerson and 116 gigabytes from Schneider Electric, with the breach going undetected by traditional monitoring tools.
Security experts warn that the impact extends beyond data theft, as attackers may leverage stolen information for extortion, supply chain exploitation, and credential harvesting. Oracle has released patches for CVE-2025-61882 and strongly urges all EBS customers to apply updates immediately. The campaign highlights the risks posed by trusted vendor dependencies and the potential for widespread disruption across critical infrastructure and operational technology supply chains. Attribution remains under investigation, with both Clop and the financially motivated FIN11 group suspected of involvement.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Clop leak site adds Emerson and Schneider Electric
Emerson and Schneider Electric were reported as additional victims in the Oracle EBS zero-day campaign, with Clop's leak site allegedly listing 2.7 TB of data tied to Emerson and 116 GB tied to Schneider Electric. Their inclusion marked an escalation because both companies are tied to critical infrastructure and operational technology supply chains.
Google links Oracle EBS attacks to possible FIN11 involvement
Google Threat Intelligence Group assessed that FIN11 may be involved in the Oracle EBS attacks, while stopping short of definitive attribution. The suspected link was based on the campaign's overlap with Clop-associated activity and FIN11's history of financially motivated intrusions.
FBI warns about unpatched internet-facing Oracle EBS systems
The FBI Cyber Division issued an urgent warning that unpatched, internet-facing Oracle E-Business Suite instances were at risk from the ongoing exploitation campaign. The warning emphasized the need for immediate remediation.
Oracle releases patches for CVE-2025-61882
Oracle released security patches for the Oracle E-Business Suite zero-day and urged customers to apply them immediately. The fixes were issued in response to active exploitation of the vulnerability.
Clop-linked campaign claims initial Oracle EBS victims
Organizations including Harvard University, Wits University, Envoy Air, Pan American Silver, and Cox Enterprises were identified as possible or confirmed victims in the Oracle EBS exploitation campaign. Some victim data was reportedly already leaked as the campaign expanded.
Oracle EBS zero-day CVE-2025-61882 is actively exploited
Attackers began exploiting the critical Oracle E-Business Suite vulnerability CVE-2025-61882, which allows unauthenticated remote code execution over HTTP against internet-facing EBS systems. The flaw affects Oracle Concurrent Processing and enables compromise, data theft, and extortion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Clop Ransomware Exploitation of Oracle E-Business Suite Zero-Day Vulnerability
Oracle disclosed a critical zero-day vulnerability, CVE-2025-61882, in its E-Business Suite that was actively exploited by the Clop ransomware group to conduct a widespread data theft and extortion campaign. The vulnerability, which affects Oracle E-Business Suite, was addressed in a security advisory released on a Saturday, with Oracle urging customers to apply the patch immediately to mitigate the risk of compromise. Federal cyber authorities and threat intelligence researchers expressed heightened concern following Oracle’s announcement, as the flaw had been exploited for at least eight weeks before some victims received extortion demands. The Clop group leveraged this zero-day, along with other vulnerabilities previously addressed in Oracle’s July security update, to gain unauthorized access to enterprise resource planning (ERP) systems. Once inside, the attackers exfiltrated sensitive data and subsequently targeted executives with spear-phishing emails containing ransom demands, threatening to leak or misuse the stolen information. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its known exploited vulnerabilities catalog, confirming its use in active ransomware campaigns. Oracle’s Chief Security Officer, Rob Duhart, updated customers via a blog post, providing indicators of compromise and emphasizing the urgency of patching. The FBI’s Cyber Division described the situation as an emergency, highlighting the critical role Oracle E-Business Suite plays in both public and private sector organizations and the high incentive for attackers to weaponize the vulnerability quickly. Security briefings noted that organizations running Oracle E-Business Suite were specifically targeted, with attackers using sophisticated spear-phishing tactics to maximize the impact of their extortion efforts. The campaign’s discovery has amplified concerns about the security of widely used ERP platforms and the increasing sophistication of ransomware groups like Clop. The incident underscores the importance of timely patch management and the need for organizations to monitor for indicators of compromise associated with this vulnerability. The attack has prompted a rapid response from both Oracle and federal agencies, with advisories and threat intelligence updates being disseminated to help organizations defend against ongoing exploitation. The event has also reignited discussions about the risks posed by zero-day vulnerabilities in critical business applications and the necessity for coordinated industry response. As the situation develops, organizations are advised to remain vigilant, apply all relevant security updates, and review their incident response plans to address potential data theft and extortion scenarios. The Clop group’s exploitation of this zero-day highlights the evolving tactics of ransomware actors and the persistent threat they pose to enterprise environments.
Mar 21, 2026
Oracle E-Business Suite Zero-Day Exploited for Remote Code Execution and Data Theft
Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.
Mar 21, 2026
Critical Remote Code Execution Vulnerability in Oracle E-Business Suite Exploited by Clop Ransomware
Oracle E-Business Suite (EBS) was found to contain a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, which has been actively exploited in the wild. The flaw resides in the Oracle Concurrent Processing component, specifically within the BI Publisher Integration, and carries a CVSS base score of 9.8 due to its unauthenticated and easily exploitable nature. Attackers can leverage this vulnerability to execute arbitrary code remotely without requiring valid credentials, posing a severe risk to organizations running affected EBS versions. Oracle confirmed that versions 12.2.3 through 12.2.14 are impacted by this vulnerability. The company released an emergency security update to address the issue, but customers must first apply the October 2023 Critical Patch Update before deploying the new fix. The vulnerability was exploited by the Clop ransomware group in a series of data theft attacks in August 2025, resulting in significant data exfiltration from multiple victims. Mandiant's CTO, Charles Carmakal, confirmed that Clop leveraged both this zero-day and other previously patched vulnerabilities in their campaign. Oracle's advisory included indicators of compromise that matched exploit details shared by threat actors on Telegram, highlighting the public availability of exploit information. The exploitation of this flaw underscores the importance of timely patch management, especially for business-critical applications like Oracle EBS. Oracle has urged all customers to prioritize the application of the latest patches to mitigate the risk of further exploitation. The incident demonstrates the increasing trend of ransomware groups targeting enterprise software vulnerabilities for large-scale data theft. Security researchers have emphasized the need for organizations to monitor for signs of compromise and to review their EBS deployments for unauthorized activity. The rapid release of a security alert and patch by Oracle reflects the urgency and severity of the threat posed by CVE-2025-61882. Organizations are advised to follow Oracle's remediation guidance closely and to remain vigilant for related threat activity. The incident has raised concerns about the security posture of widely used ERP platforms and the potential for future exploitation of similar vulnerabilities. The Clop attacks serve as a reminder that threat actors are adept at chaining multiple vulnerabilities to maximize impact. This event highlights the criticality of maintaining up-to-date security controls and monitoring for exploitation attempts targeting high-value enterprise systems.
Mar 21, 2026