The Clop ransomware gang (Graceful Spider) exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), an enterprise resource planning system used for order management, procurement, and logistics. The unauthenticated remote code execution (RCE) flaw allowed attackers to bypass authentication via the **OA_HTML/SyncServlet** endpoint and inject malicious XSLT templates through **OA_HTML/RF.jsp**, granting full control over sensitive ERP data. Oracle was listed on Clop’s dark web leak site, suggesting internal corporate data—potentially financial and employee records—was compromised. The attack leveraged reused infrastructure from prior campaigns (e.g., 2023 MOVEit exploits), with extortion emails sent to victims demanding ransom to prevent data leaks. Over **1,025 victims** and **$500M+ in extorted funds** since 2019 highlight Clop’s persistence. The breach poses severe risks to Oracle’s supply chain integrity, operational continuity, and reputation, with potential cascading effects on clients like Mazda, Humana, and the Washington Post, also listed as victims.
Source: https://cyberpress.org/oracle-allegedly-breached-by-clop-ransomware/
Oracle cybersecurity rating report: https://www.rankiteo.com/company/oracle
"id": "ORA4332743112125",
"linkid": "oracle",
"type": "Ransomware",
"date": "6/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Enterprise Software',
'location': 'United States',
'name': 'Oracle Corporation',
'size': 'Large (Multinational)',
'type': 'Technology Vendor'},
{'industry': 'Automotive',
'name': 'MAZDA.COM',
'type': 'Corporate'},
{'industry': 'Healthcare Insurance',
'name': 'HUMANA.COM',
'type': 'Corporate'},
{'industry': 'News/Publishing',
'name': 'Washington Post',
'type': 'Media'}],
'attack_vector': ['Unauthenticated Remote Code Execution (RCE)',
'Authentication Bypass via SyncServlet',
'XSLT Injection via RF.jsp'],
'data_breach': {'data_exfiltration': 'Confirmed (threatened release on dark '
'web)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Financial Records',
'Personal Records',
'ERP Data']},
'date_detected': '2025-06',
'date_publicly_disclosed': '2025-10',
'description': 'The Clop ransomware gang (Graceful Spider) breached Oracle '
"Corporation's internal systems by exploiting a critical "
'zero-day vulnerability (CVE-2025-61882) in Oracle E-Business '
'Suite (EBS). The unauthenticated remote code execution (RCE) '
'flaw allowed attackers to bypass authentication via the '
'OA_HTML/SyncServlet endpoint and inject malicious XSLT '
'templates via OA_HTML/RF.jsp, granting full control over ERP '
'data. The attack, part of a broader supply chain campaign, '
'targeted Oracle and other major entities like Mazda, Humana, '
'and the Washington Post. Clop listed Oracle on its dark web '
'leak site, threatening to release financial and personal '
'records unless ransom demands were met. Evidence links the '
'attack infrastructure to prior MOVEit exploits '
'(CVE-2023-34362), with 96 distinct IPs identified, primarily '
'hosted on Russian-based providers.',
'impact': {'brand_reputation_impact': 'High (public listing on dark web leak '
'site)',
'data_compromised': ['Financial Records',
'Personal Records',
'ERP Data'],
'identity_theft_risk': 'High (personal records exposed)',
'operational_impact': 'Potential disruption to order management, '
'procurement, and logistics functions',
'systems_affected': ['Oracle E-Business Suite (Versions '
'12.2.3–12.2.14)',
'Internal Corporate Systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened (extortion '
'emails sent via '
'support@pubstorm[.]com)',
'entry_point': 'OA_HTML/SyncServlet (Authentication '
'Bypass) & OA_HTML/RF.jsp (XSLT '
'Injection)',
'high_value_targets': ['Oracle E-Business Suite ERP '
'Data',
'Financial Records',
'Personal Records'],
'reconnaissance_period': 'Observed as early as June '
'2025, active exploitation '
'from August 2025'},
'investigation_status': 'Ongoing (infrastructure analysis links to prior '
'MOVEit attacks)',
'motivation': ['Financial Gain', 'Data Extortion'],
'post_incident_analysis': {'corrective_actions': ['Patch deployment (October '
'2025)',
'Infrastructure monitoring '
'for 96 linked IPs (41 '
'subnets reused from '
'MOVEit)'],
'root_causes': ['Zero-Day Exploit (CVE-2025-61882)',
'Delayed Patch Release (exploited '
'for months pre-patch)',
'Reused Attack Infrastructure from '
'MOVEit (CVE-2023-34362)']},
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Clop'},
'references': [{'source': 'THE RAVEN FILE Security Researchers'},
{'source': 'Clop Ransomware Dark Web Leak Site'},
{'source': 'Oracle Security Alert (October 2025)'}],
'response': {'remediation_measures': ['Patch released in October 2025 '
'Security Alert']},
'threat_actor': 'Clop Ransomware Gang (Graceful Spider)',
'title': 'Clop Ransomware Exploits Zero-Day CVE-2025-61882 in Oracle '
'E-Business Suite',
'type': ['Ransomware',
'Supply Chain Attack',
'Zero-Day Exploit',
'Data Breach'],
'vulnerability_exploited': 'CVE-2025-61882 (Critical, CVSS 9.8)'}