Cl0p Zero-Day Hits Oracle E-Business Suite (CVE-2025-61882), Compromising Global Giants
Cl0p struck a blow against Oracle by exploiting a critical zero-day vulnerability in the E-Business Suite. Researchers report that attacks leveraging this flaw have been underway since July 2025, already compromising numerous major organizations across the globe.
News of the breach appeared on Cl0p’s darknet leak site on Thursday. The group published only a minimal dossier on the company — its address, phone number, website, industry, and annual revenue — accompanied by the customary taunt: “The company does not care about its customers. It ignored their security!!!” Yet only hours later, the post vanished. Its removal is widely interpreted as a sign that negotiations between Cl0p and Oracle may have begun.
The incident was first publicized by researcher Dominic Alvieri, who cited a screenshot captured by a Fujitsu UK analyst. He confirmed that the intrusion was carried out through the CVE-2025-61882 vulnerability, which enables unauthenticated remote code execution in E-Business Suite. According to Google, Cl0p combined several bugs into a single exploit chain to achieve unauthorized access to systems and data.
Oracle acknowledged the flaw only on October 2 — by which time many companies had already received ransom notes from Cl0p. According to affected organizations, these messages began with “Dear Director” and warned that confidential documents had been exfiltrated from their EBS systems. The attackers claimed to possess a substantial cache of corporate files and offered to “save” them in exchange for payment. The letters alluded to severe reputational consequences should the victims delay.
Compounding the crisis, Oracle’s initial patch did not fully remediate the vulnerability. A functioning fix arrived only six days later, by which point numerous customers had already been compromised.
Among the victims were prominent organizations such as the UK’s National Health Service (whose data was published), the insurer Humana, automaker Mazda (including its U.S. division), Phoenix University, Harvard University, Envoy Air, DXC Technology, and Chicago Public Schools — the fourth-largest school district in the country. The Washington Post also confirmed exposure and notified thousands of readers of potential personal-data leakage.
Oracle E-Business Suite is a widely deployed portfolio of enterprise applications for customer management, logistics, manufacturing, supply chains, and accounting. Its enormous global footprint makes it an especially lucrative target. By exploiting flaws such as CVE-2025-61882, Cl0p achieved unauthenticated RCE access, siphoning sensitive data directly from corporate environments.
Cl0p has long established itself as one of the most formidable extortion groups, notorious for large-scale campaigns built on exploit chains involving multiple vulnerabilities. Last year, the group orchestrated the catastrophic MOVEit Transfer incident, which affected more than 2,600 organizations and nearly 90 million individuals. Before that, it weaponized flaws in Fortra GoAnywhere and Cleo.
Experts note that Cl0p operates with methodical precision, relentlessly pursuing maximum financial gain. The group delights in taunting its victims, posting jeering remarks and using reputational pressure as leverage. In Oracle’s case, it appears to have taken particular satisfaction in breaching a vendor through its own flagship product.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
