- Cyber Syrup
- Posts
- Cl0p Group Confirmed Behind Oracle E-Business Suite Zero-Day Attacks
Cl0p Group Confirmed Behind Oracle E-Business Suite Zero-Day Attacks
The Cl0p ransomware group has been confirmed as the threat actor responsible for the recent wave of data theft and extortion attacks targeting organizations using Oracle E-Business Suite
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Free email without sacrificing your privacy
Gmail is free, but you pay with your data. Proton Mail is different.
We don’t scan your messages. We don’t sell your behavior. We don’t follow you across the internet.
Proton Mail gives you full-featured, private email without surveillance or creepy profiling. It’s email that respects your time, your attention, and your boundaries.
Email doesn’t have to cost your privacy.
Cl0p Group Confirmed Behind Oracle E-Business Suite Zero-Day Attacks
The Cl0p ransomware group has been confirmed as the threat actor responsible for the recent wave of data theft and extortion attacks targeting organizations using Oracle E-Business Suite (EBS). Oracle has acknowledged that the attackers exploited a previously unknown zero-day vulnerability, adding to Cl0p’s growing record of large-scale campaigns involving critical enterprise software.
Background of the Campaign
Last week, researchers from Google Threat Intelligence Group (GTIG) and Mandiant reported that executives at numerous organizations had received extortion emails claiming that sensitive information had been stolen from their Oracle EBS environments.
Initially, the attacks appeared to originate from compromised accounts associated with FIN11, a long-running cybercrime group linked to Cl0p in past operations. GTIG and Mandiant have now confirmed that Cl0p is directly responsible for the campaign.
The attackers began exfiltrating data from Oracle EBS customers as early as August 2025, with extortion emails starting in late September, according to Charles Carmakal, Chief Technology Officer at Mandiant.
The Exploited Zero-Day Vulnerability
Oracle’s Chief Security Officer Rob Duhart confirmed that the hackers exploited a zero-day vulnerability, now tracked as CVE-2025-61882.
Severity: Critical (CVSS 9.8)
Impact: Remote Code Execution (unauthenticated attacker)
Affected Versions: Oracle E-Business Suite 12.2.3 through 12.2.14
Vulnerable Component: BI Publishing Integration within Oracle Concurrent Processing
The flaw allows attackers to remotely execute code on affected systems without authentication. Oracle has released security patches and indicators of compromise (IoCs) to help customers detect potential intrusions.
Mandiant further confirmed that Cl0p leveraged both the newly disclosed zero-day and vulnerabilities patched in July 2025 during the attacks.
Broader Implications
Cl0p’s tactics are consistent with its previous campaigns against MOVEit, Cleo, and Fortra GoAnywhere file transfer products—all of which involved zero-day exploitation to steal massive amounts of data.
Security researchers warn that other threat groups will likely repurpose these vulnerabilities now that they are public.
Carmakal cautioned,
“Given the broad mass zero-day exploitation that has already occurred, organizations should examine whether they were already compromised, regardless of when they apply the patch.”
There are also signs that the Scattered Spider and ShinyHunters groups—both recently claiming to have retired—may have participated or provided tooling, as they allegedly posted related EBS exploits on Telegram.
Conclusion
The Cl0p group’s exploitation of CVE-2025-61882 underscores the urgent need for proactive patch management, zero-day monitoring, and cloud infrastructure auditing. For organizations using Oracle E-Business Suite, immediate application of the provided patches and a comprehensive compromise assessment are essential to reduce exposure to future attacks.