Oracle EBS Extortion Campaign: What happened and what organizations should know

A large extortion campaign targeting customers of Oracle E-Business Suite (EBS) has led cybercriminals to publicly name nearly 30 alleged victims and to publish exfiltrated data for many of them. The operation began in late September with high-volume extortion emails sent to executives and appears to involve a FIN11-linked cluster using the Cl0p/Clop brand as the public-facing actor. Several early-named organizations—including Harvard University, Wits University (South Africa), and Envoy Air (American Airlines subsidiary)—have since confirmed they were impacted.

Attack pattern and observed activity

According to public reporting and available samples, attackers used Oracle EBS vulnerabilities to access customer instances and steal files. Extortion emails then pressured victims to pay. In many cases the criminal group posted links to large archives of allegedly stolen files—ranging from gigabytes to multiple terabytes—on leak sites. Structural analysis of leaked file trees indicates the material likely originated from Oracle environments.

Who’s been named (and confirmation status)

Twenty-nine organizations have been listed on the leak site to date. A handful have publicly confirmed impact; most have not issued statements, which may reflect ongoing investigations, legal considerations, or business decisions to avoid public disclosure. Some alleged victims named on the leak site include organizations across industrial, technology, financial, transportation, energy, manufacturing, and education sectors.

Vulnerabilities and timeline

Investigators consider two EBS flaws likely exploited in this campaign: CVE-2025-61882 and CVE-2025-61884. Both are described as remotely exploitable issues that can expose sensitive data without authentication or user interaction. Evidence indicates at least one of these (CVE-2025-61882) may have been used in the wild as a zero-day prior to vendor patches, giving attackers a head start on large-scale exploitation.

Data sensitivity and caveats

While large volumes of data have been published, the sensitivity and operational impact vary by victim. Adversaries sometimes name parent companies even when a subsidiary or single instance was affected—so scope and severity can differ. Historical patterns also show threat actors occasionally exaggerate the sensitivity of stolen records to increase pressure.

Practical advice for organizations

1. Immediate patching: Ensure Oracle EBS patches for the identified CVEs are applied.

2. Incident triage: Conduct full forensic reviews of exposed EBS instances and associated accounts.

3. Validate backups and integrity: Confirm backups are isolated and intact.

4. Credential hygiene: Rotate service and privileged credentials; enable multi-factor authentication where possible.

5. Monitor leakage: Search leak sites and external repositories for organization-related artifacts and IoCs.

6. Legal & notification: Coordinate legal counsel and regulatory reporting as required.

Bottom line

This campaign demonstrates the high impact of vulnerabilities in widely used enterprise systems. Rapid patching, aggressive detection and response, and transparent coordination across legal, technical, and communications teams are essential for limiting damage and restoring trust after such incidents.