The notorious Clop ransomware gang, also known as Graceful Spider, has listed Oracle Corporation on its dark web leak site, claiming to have successfully breached the technology giant’s internal systems.
This alarming development represents a significant escalation in the group’s ongoing extortion campaign targeting a critical zero-day vulnerability in Oracle E-Business Suite (EBS), identified as CVE-2025-61882.
The Russian-linked threat actor, which has accumulated over 1,025 confirmed victims and extracted more than $500 million in ransom payments since 2019, now claims to have compromised Oracle alongside dozens of high-profile customers.
| CVE ID | Affected Product | Vulnerability Type | CVSS Score | Exploit Vector |
|---|---|---|---|---|
| CVE-2025-61882 | Oracle E-Business Suite (Versions 12.2.3 – 12.2.14) | Unauthenticated Remote Code Execution (RCE) | 9.8 (Critical) | Authentication Bypass via SyncServlet & XSLT Injection |
Critical Zero-Day Vulnerability Exploited at Scale
The attack leverages CVE-2025-61882, a critical unauthenticated remote code execution vulnerability affecting Oracle E-Business Suite versions 12.2.3 through 12.2.14, carrying a severe CVSS score of 9.8.
Security researchers discovered that Clop affiliates began actively exploiting this flaw as early as August 2025, approximately two months before Oracle released a security patch in October 2025.
The exploit chain specifically targets the OA_HTML/SyncServlet endpoint to bypass authentication mechanisms, then uses malicious XSLT template injection through OA_HTML/RF.jsp to execute arbitrary commands on compromised servers.
This vulnerability’s “pre-auth” nature allowed attackers to gain complete control over sensitive enterprise resource planning data without requiring valid credentials, making it particularly dangerous for organizations running unpatched EBS instances.
Oracle E-Business Suite is widely deployed globally to manage critical business functions, including order management, procurement, and logistics, making it an attractive target for ransomware groups seeking rapid network penetration and the exfiltration of valuable data.
Evidence from Clop’s leak site shows a “PAGE CREATED” status for ORACLE.COM, alongside major organizations such as MAZDA.COM, HUMANA.COM, and the Washington Post.
The listing of Oracle Corporation itself suggests the vendor may have fallen victim to its own software vulnerability, potentially exposing sensitive internal corporate data and customer information.
Victims across multiple industries have reported receiving extortion emails from addresses such as support@pubstorm[.]com, threatening public release of financial records and personal data unless ransom demands are met.
Security analysts from THE RAVEN FILE uncovered 96 distinct IP addresses linked to the current exploitation campaign through SSL certificate fingerprint analysis.
Remarkably, researchers identified that 41 subnet IPs used in the Oracle EBS attacks were previously used during exploitation of the 2023 MOVEit vulnerability (CVE-2023-34362), demonstrating Clop’s strategic reuse of infrastructure.
The attack infrastructure shows a geographic distribution across Germany (16 addresses), Brazil (13), and Panama (12), though the underlying analysis reveals a concentrated use of Russian-based service providers.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.