An email-based extortion campaign targeting Oracle E-Business Suite customers since early last week is now linked to a zero-day vulnerability, security researchers warned Sunday.
The campaign, from hackers linked to Clop ransomware, has targeted executives at companies that use E-Business Suite since last Monday. Oracle, in a blog post released on Friday, urged customers to download a critical patch update that originally was released in July.
Oracle released guidance on the zero-day and warned the vulnerability can be exploited without authentication.
On Sunday, researchers at Mandiant warned that the campaign also involved a zero-day vulnerability tracked as CVE-2025-61882. The flaw, which has a severity score of 9.8, can allow an attacker to take over the Oracle Concurrent Processing part of Oracle Business Suite.
Mandiant cooperated with Oracle security researchers to investigate the attacks.
Clop previously exploited multiple vulnerabilities in Oracle E-Business Suite in August, allowing them to steal large amounts of data from several organizations that use the software, according to Charles Carmakal, CTO of Mandiant Consulting, a unit of Google Cloud.
Researchers at security firm watchTowr said the attack chains together multiple vulnerabilities that were released in the July patch update and the zero-day that was recently disclosed.
“At first glance, it looked reasonably complex and required real effort to reproduce manually,” said Jake Knott, principal security researcher at watchTowr. “But now, with working exploit code leaked, that barrier to entry is gone.”
Clop is considered one of the most prolific ransomware groups in the world. The group was linked to the 2023 mass exploitation of flaws in MOVEit file transfer software and more recently exploitation of vulnerabilities in Cleo file transfer software.
Researchers at watchTowr said they expect to see multiple groups jump into the fray now that the exploit code is available.
