The **Clop ransomware gang** exploited a **critical zero-day vulnerability (CVE-2025-61882)** in **Oracle E-Business Suite (EBS)**, specifically within the **BI Publisher Integration component**, to conduct **data theft attacks** since at least **August 2025**. The flaw allowed **unauthenticated remote code execution (RCE)** via a single HTTP request, enabling attackers to steal **sensitive corporate documents** from unpatched systems. Oracle patched the vulnerability in early October 2025, but not before Clop launched an **extortion campaign**, emailing executives at multiple victim organizations to demand ransoms in exchange for not leaking the stolen data.The attack leveraged a **vulnerability chain** exposed by leaked proof-of-concept (PoC) exploits from the **Scattered Lapsus$ Hunters** group, increasing the risk of further exploitation by other threat actors. Clop’s campaign mirrors past high-profile breaches, including **MOVEit Transfer (2,770+ organizations affected)**, **Accellion FTA**, and **GoAnywhere MFT**, reinforcing its reputation for **large-scale data theft via zero-days**. Oracle urged immediate patching, warning that **internet-exposed EBS applications** remain prime targets. The U.S. State Department has even offered a **$10 million reward** for intelligence linking Clop to foreign state sponsorship, underscoring the attack’s severity.
TPRM report: https://www.rankiteo.com/company/oracle
"id": "ora1692116100725",
"linkid": "oracle",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['Global (targeting internet-exposed EBS '
'applications)'],
'name': 'Multiple Organizations Using Oracle '
'E-Business Suite',
'type': ['Corporations', 'Enterprises']}],
'attack_vector': ['Unauthenticated Remote Code Execution (RCE)',
'HTTP Request Exploitation',
'Email-Based Extortion'],
'customer_advisories': ['Extortion Emails from Clop to Executives'],
'data_breach': {'data_exfiltration': ['Confirmed (by Clop for extortion)'],
'personally_identifiable_information': ['Possible (not '
'explicitly '
'confirmed)'],
'sensitivity_of_data': ['High (confidential business '
'documents)'],
'type_of_data_compromised': ['Sensitive Corporate Documents',
'Potentially PII']},
'date_detected': '2025-08-09',
'date_publicly_disclosed': '2025-10-03',
'description': 'The Clop ransomware gang has been exploiting a critical '
'Oracle E-Business Suite (EBS) zero-day bug (CVE-2025-61882) '
'in data theft attacks since at least early August 2025. The '
'vulnerability, patched by Oracle in early October 2025, '
'resides in the BI Publisher Integration component of Oracle '
"EBS's Concurrent Processing, allowing unauthenticated remote "
'code execution (RCE) via a single HTTP request. Clop has been '
'using this flaw to steal sensitive documents and extort '
'victims via email campaigns. Other threat actors, including '
'GRACEFUL SPIDER, may also be involved. Oracle has urged '
'customers to patch immediately, as the public disclosure of '
'the PoC exploit is expected to escalate attacks.',
'impact': {'brand_reputation_impact': ['High (due to extortion and potential '
'data leaks)'],
'data_compromised': ['Sensitive Documents',
'Potentially PII or Corporate Data'],
'identity_theft_risk': ['Potential (if PII was stolen)'],
'systems_affected': ['Oracle E-Business Suite (EBS) with unpatched '
'BI Publisher Integration']},
'initial_access_broker': {'data_sold_on_dark_web': ['Not confirmed (Clop '
'typically leaks data if '
'ransom unpaid)'],
'entry_point': ['CVE-2025-61882 (Oracle EBS BI '
'Publisher)'],
'high_value_targets': ['Sensitive Corporate '
'Documents'],
'reconnaissance_period': ['Potentially since early '
'August 2025 (zero-day '
'exploitation)']},
'investigation_status': 'Ongoing (CrowdStrike, Mandiant, GTIG)',
'lessons_learned': ['Zero-day vulnerabilities in enterprise software like '
'Oracle EBS are high-value targets for ransomware groups.',
'Public PoC disclosures accelerate exploitation by '
'multiple threat actors.',
'Proactive patching and exposure management are critical '
'for mitigating RCE risks.'],
'motivation': ['Financial Gain (Extortion)', 'Data Theft for Leverage'],
'post_incident_analysis': {'corrective_actions': ['Apply Oracle’s security '
'patch for CVE-2025-61882.',
'Implement network '
'segmentation for EBS '
'environments.',
'Deploy behavioral '
'detection for RCE attempts '
'(e.g., CrowdStrike '
'Falcon).',
'Conduct threat hunting for '
'signs of Clop or GRACEFUL '
'SPIDER activity.'],
'root_causes': ['Unpatched Oracle EBS '
'vulnerability (CVE-2025-61882)',
'Internet-exposed EBS applications '
'without authentication safeguards',
'Delayed patching despite active '
'exploitation']},
'ransomware': {'data_encryption': ['No (data theft-only campaign)'],
'data_exfiltration': ['Yes'],
'ransom_demanded': ['Undisclosed (extortion emails sent to '
'executives)'],
'ransomware_strain': ['Clop']},
'recommendations': ['Immediately patch CVE-2025-61882 in Oracle E-Business '
'Suite environments.',
'Restrict internet exposure of EBS applications and '
'enforce authentication controls.',
'Monitor for signs of data exfiltration, especially via '
'BI Publisher components.',
'Prepare for extortion attempts if using Oracle EBS, '
'given Clop’s history of targeting such vulnerabilities.',
'Engage threat intelligence services (e.g., CrowdStrike, '
'Mandiant) for proactive detection.'],
'references': [{'date_accessed': '2025-10-07', 'source': 'CrowdStrike Blog'},
{'date_accessed': '2025-10-06',
'source': 'BleepingComputer Article'},
{'date_accessed': '2025-10-05',
'source': 'Oracle Security Alert (CVE-2025-61882)'},
{'date_accessed': '2025-05-01',
'source': 'watchTowr Labs (PoC Analysis)'},
{'source': 'U.S. State Department Reward Program'}],
'regulatory_compliance': {'regulatory_notifications': ['Oracle Customer '
'Advisory '
'(non-regulatory)']},
'response': {'communication_strategy': ['Oracle Customer Advisory',
'Public Disclosure of PoC Risks'],
'containment_measures': ['Patching CVE-2025-61882',
'Disabling Exposed EBS Components'],
'enhanced_monitoring': ['Recommended for Oracle EBS '
'Environments'],
'incident_response_plan_activated': ['Oracle Security Alert '
'(Urgent Patching '
'Advisory)'],
'third_party_assistance': ['CrowdStrike (Detection and Analysis)',
'Mandiant (Investigation)',
'Google Threat Intelligence Group '
'(GTIG)']},
'stakeholder_advisories': ['Oracle Urgent Patching Advisory',
'CrowdStrike Threat Assessment'],
'threat_actor': ['Clop Ransomware Gang',
'GRACEFUL SPIDER (moderate confidence)'],
'title': 'Clop Ransomware Exploits Oracle E-Business Suite Zero-Day '
'(CVE-2025-61882) in Data Theft Attacks',
'type': ['Data Theft', 'Ransomware Extortion', 'Zero-Day Exploitation'],
'vulnerability_exploited': 'CVE-2025-61882 (Oracle E-Business Suite BI '
'Publisher Integration Component)'}