The Clop ransomware gang (Graceful Spider) breached Oracle Corporation by exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), an unauthenticated remote code execution (RCE) flaw with a CVSS score of 9.8. The attack bypassed authentication via the **SyncServlet** endpoint and injected malicious XSLT templates through **RF.jsp**, granting full control over enterprise systems. Oracle’s internal data and customer information were exposed, with Clop listing the company on its dark web leak site under a 'PAGE CREATED' status. The breach aligns with Clop’s broader campaign targeting high-profile victims (e.g., Mazda, Humana, Washington Post) via extortion emails threatening public data leaks unless ransoms are paid. The attack leveraged reused infrastructure from prior exploits (e.g., 2023 MOVEit vulnerability), with 96 distinct IPs tied to Russian-linked service providers. The incident underscores the severe risk posed by unpatched EBS instances, which manage critical functions like procurement, logistics, and financial records globally.
Source: https://gbhackers.com/clop-ransomware-claims-oracle-breach-using-e-business-suite-0-day/
Oracle cybersecurity rating report: https://www.rankiteo.com/company/oracle
"id": "ORA5233252112125",
"linkid": "oracle",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Potentially high (internal '
'systems + customers using EBS)',
'industry': 'Enterprise Software',
'location': 'Global (HQ: Redwood City, California, '
'USA)',
'name': 'Oracle Corporation',
'size': 'Large (Multinational)',
'type': 'Technology Vendor'},
{'industry': 'Automotive',
'location': 'Global',
'name': 'Mazda',
'type': 'Corporation'},
{'industry': 'Healthcare Insurance',
'location': 'USA',
'name': 'Humana',
'type': 'Corporation'},
{'industry': 'News/Publishing',
'location': 'USA',
'name': 'The Washington Post',
'type': 'Media Organization'}],
'attack_vector': ['Unauthenticated Remote Code Execution (RCE)',
'Authentication Bypass via SyncServlet',
'XSLT Injection via RF.jsp'],
'customer_advisories': ['Extortion emails sent to victims via '
'support@pubstorm[.]com'],
'data_breach': {'data_exfiltration': 'Claimed by Clop (evidenced by dark web '
'leak site listing)',
'personally_identifiable_information': 'Likely (based on '
'extortion threats)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Corporate Internal Data',
'Customer Information',
'Financial Records',
'Personal Data']},
'date_detected': '2025-08',
'description': 'The Clop ransomware gang (Graceful Spider) claimed to have '
'breached Oracle Corporation’s internal systems by exploiting '
'a critical zero-day vulnerability (CVE-2025-61882) in Oracle '
'E-Business Suite (EBS). The unauthenticated remote code '
'execution (RCE) flaw, with a CVSS score of 9.8, was actively '
'exploited since August 2025, two months before Oracle '
'released a patch in October 2025. The attack leveraged the '
'OA_HTML/SyncServlet endpoint for authentication bypass and '
'malicious XSLT injection via OA_HTML/RF.jsp. Clop listed '
'Oracle and high-profile customers (e.g., Mazda, Humana, '
'Washington Post) on its dark web leak site, threatening data '
'exposure unless ransom demands were met. Evidence suggests '
'Oracle may have been compromised via its own unpatched EBS '
'software, risking exposure of internal corporate and customer '
'data.',
'impact': {'brand_reputation_impact': ['High (public listing on dark web leak '
'site)'],
'data_compromised': ['Internal Corporate Data',
'Customer Information',
'Financial Records',
'Personal Data'],
'identity_theft_risk': ['High (PII exposure risk)'],
'operational_impact': ['Potential disruption to order management, '
'procurement, and logistics'],
'systems_affected': ['Oracle E-Business Suite (EBS) Servers',
'Enterprise Resource Planning (ERP) Systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'Listed on Clop’s leak '
'site (ORACLE.COM, '
'MAZDA.COM, etc.)',
'entry_point': ['Oracle E-Business Suite (EBS) '
'SyncServlet endpoint'],
'high_value_targets': ['ERP data (order management, '
'procurement, logistics)',
'Customer databases'],
'reconnaissance_period': 'Likely conducted prior to '
'August 2025 (exploitation '
'start date)'},
'investigation_status': 'Ongoing (Clop’s claims under verification; Oracle’s '
'internal investigation likely)',
'motivation': ['Financial Gain', 'Data Extortion', 'Reputation Damage'],
'post_incident_analysis': {'root_causes': ['Unpatched zero-day vulnerability '
'(CVE-2025-61882) in Oracle EBS',
'Lack of pre-authentication '
'protections for SyncServlet '
'endpoint',
'Reuse of attack infrastructure '
'from prior campaigns (e.g., '
'MOVEit CVE-2023-34362)']},
'ransomware': {'data_exfiltration': 'Confirmed (threatened public release)',
'ransomware_strain': 'Clop'},
'recommendations': ['Immediate patching of CVE-2025-61882 for Oracle EBS '
'versions 12.2.3–12.2.14',
'Monitor for indicators of compromise (IOCs) linked to '
'Clop’s infrastructure (e.g., 96 IPs, '
'support@pubstorm[.]com)',
'Enhance authentication mechanisms for OA_HTML endpoints',
'Segment networks to limit lateral movement',
'Implement behavioral analysis for XSLT injection '
'attempts'],
'references': [{'source': 'THE RAVEN FILE (Security Research)'},
{'source': 'Clop Dark Web Leak Site'},
{'source': 'Oracle Security Advisory (CVE-2025-61882)'}],
'response': {'remediation_measures': ['Oracle released patch in October 2025'],
'third_party_assistance': ['Security researchers (THE RAVEN '
'FILE)']},
'threat_actor': {'associated_infrastructure': {'geographic_distribution': [{'country': 'Germany',
'ip_count': 16},
{'country': 'Brazil',
'ip_count': 13},
{'country': 'Panama',
'ip_count': 12}],
'ip_addresses': 96,
'reused_ips_from_moveit': 41,
'service_providers': ['Russian-based']},
'confirmed_victims': 1025,
'name': ['Clop Ransomware Gang', 'Graceful Spider'],
'origin': 'Russian-linked',
'ransom_extracted': '$500 million (since 2019)'},
'title': 'Clop Ransomware Gang Exploits Zero-Day Vulnerability in Oracle '
'E-Business Suite (CVE-2025-61882)',
'type': ['Ransomware Attack', 'Zero-Day Exploitation', 'Data Breach'],
'vulnerability_exploited': {'affected_product': 'Oracle E-Business Suite '
'(Versions 12.2.3 – 12.2.14)',
'cve_id': 'CVE-2025-61882',
'cvss_score': 9.8,
'exploit_vector': ['Authentication Bypass',
'XSLT Injection'],
'patch_status': 'Patched in October 2025 '
'(exploited since August 2025)',
'vulnerability_type': 'Unauthenticated Remote '
'Code Execution (RCE)'}}