The recent data theft and extortion campaign targeting Oracle E-Business Suite customers has been confirmed to be the work of the notorious Cl0p ransomware group, and Oracle has admitted that the hackers have exploited a zero-day vulnerability.
The attacks targeting Oracle E-Business Suite (EBS) customers came to light last week, when Google Threat Intelligence Group (GTIG) and Mandiant warned that executives at many organizations using the enterprise resource planning product received extortion emails.
The emails, apparently coming from the Cl0p group, informed recipients that sensitive data had been stolen from their Oracle EBS instance and urged them to get in touch with the cybercriminals.
GTIG and Mandiant researchers, who found that the emails were coming from compromised accounts previously associated with the FIN11 cybercrime group, initially could not confirm that Cl0p was behind the attacks. However, the researchers have now confirmed that Cl0p is indeed responsible.
This is not surprising considering that Cl0p previously conducted several other similar campaigns, including ones targeting Cleo, MOVEit, and Fortra file transfer products through the exploitation of zero-day vulnerabilities.
Charles Carmakal, CTO of Mandiant, explained that the hackers stole data from EBS customers in August and started sending out extortion emails in late September.
While Oracle initially said the recent EBS data theft campaign involved exploitation of unspecified vulnerabilities patched in July, on Saturday the software giant’s CSO, Rob Duhart, confirmed that a zero-day has also been leveraged by the attackers.
The zero-day flaw is tracked as CVE-2025-61882 and it can be exploited for remote code execution by an unauthenticated attacker.
The vulnerability, which impacts Oracle E-Business Suite versions 12.2.3-12.2.14, has been assigned a ‘critical’ severity rating with a CVSS score of 9.8. The security hole impacts the BI Publishing Integration component of Oracle Concurrent Processing.
Oracle has released patches and shared indicators of compromise (IoCs) that customers can use to detect potential attacks.
Mandiant has confirmed that the Cl0p attacks exploited vulnerabilities patched in July alongside CVE-2025-61882.
Other threat actors are now expected to add the vulnerabilities exploited in this campaign to their arsenal.
“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” Carmakal warned.
The cybercrime groups Scattered Spider and ShinyHunters, which recently announced their retirement but continue to be active, might also be involved in the Oracle attack. The hackers created a new Telegram channel and posted what appear to be the EBS exploits used in the attack.
Related: Red Hat Confirms GitLab Instance Hack, Data Theft
Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
