The Cl0p extortion gang exploited multiple Oracle E-Business Suite (EBS) vulnerabilities, including one zero-day flaw (CVE-2025-61882), “to steal large amounts of data from several victim[s] in August 2025,” Charles Carmakal, CTO at Mandiant – Google Cloud, stated on Sunday.
“Clop has been sending extortion emails to several victims since last Monday. However, please note they may not have attempted to reach out to all victims yet,” he added.
The extortion email (Source: Mandiant)
About CVE-2025-61882
Oracle CSO Rob Duhart initially intimated that the compromises happened because some customers did not apply the security patches Oracle released in July 2025.
On Saturday, the company updated the post and removed that text, and the post now says that Oracle has issued a Security Alert Advisory for CVE-2025-61882, “to provide updates against additional potential exploitation that were discovered during [their] investigation.”
CVE-2025-61882’s nature hasn’t been specified, but Oracle says it affects the BI Publisher Integration component of Oracle Concurrent Processing within Oracle E-Business Suite. (Oracle Concurrent Processing is a core component of Oracle EBS that manages the execution of background tasks.)
CVE-2025-61882 is easily exploitable by unauthenticated attackers with network access via HTTP, and may lead to remote code execution. It affects Oracle E-Business Suite versions 12.2.3 through (and including) 12.2.14.
Oracle EBS customers should check for evidence of compromise
While Google initially said it didn’t have enough evidence to confirm that the extortion emails sent to business executives came from Clop (or Cl0p, as the gang styles its name), the connection is now confirmed.
“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” Carmakal advised.
Oracle’s security advisory lists IP addresses, files and commands observed in the attacks, which can be used for threat detection and hunting.
Among the indicators of compromise are Python scripts and an archive file whose names reference “Scattered Lapsus$ Hunters”, a threat group that ostensibly encompasses members of the Scattered Spider, Lapsus$, and ShinyHunters hacking outfits.
According to BleepingComputer, Scattered Lapsus$ Hunters leaked the archive file, which contains the Python exploit scripts, on Telegram last Friday, but whether Cl0p and Scattered Lapsus$ Hunters are working together on these or other attacks is unclear at this time.
On Sunday, a security researcher published a Nuclei script for detecting Oracle E-Business Suite instances that are vulnerable to CVE-2025-61882.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
